hello-world.evil: confinement is not working correctly
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Snapcraft |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
When I run "hello-world.evil", I get this output:
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug
This is the output of the command "snap version":
snap version
snap 2.33.1
snapd 2.33.1
series 16
debian 9
kernel 4.9.0-6-amd64
This is the output of the command "snap info hello-world":
name: hello-world
summary: The 'hello-world' of snaps
publisher: canonical
contact: <email address hidden>
license: unknown
description: |
This is a simple hello world example.
commands:
- hello-world.env
- hello-world.evil
- hello-world
- hello-world.sh
snap-id: buPKUD3TKqCOgLE
tracking: stable
refresh-date: today at 12:58 CEST
channels:
stable: 6.3 (27) 20kB -
candidate: 6.3 (27) 20kB -
beta: 6.3 (27) 20kB -
edge: 6.3 (28) 20kB -
installed: 6.3 (27) 20kB -
| information type: | Public → Public Security |
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in snapcraft: | |
| status: | New → Invalid |
| Peter Kleiweg (pkleiweg) wrote | #2 |
When snapd starts, it interrogates the system to decide if the necessary sandboxing requirements are met. If they are not, the system is put into forced devmode where snaps are allowed to run, but do not run under full confinement. The Debian 9 kernel is known to not meet these requirements (indeed, you should see something in syslog about snapd using forced devmode). Since the system is in forced devmode, the hello-world.evil program is giving the expected output.
While a number of distributions meet the requirements, work is ongoing to allow more systems to work in strict mode. For example, the next version of Debian will (hopefully) meet all of the requirements. In the meantime, feel free to install and use snaps, but make sure you trust the publisher (just as you would for installing a deb from an unofficial apt repository).