Comment 5 for bug 1910456
Revision history for this message
| Ian Johnson (anonymouse67) wrote Re: container management snaps should have Delegates=true in their systemd unit | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> First off, I want to be clear that with all of the listed interfaces (with the exception of some of the flavors), the policy is considered 'advisory' and there are enough privileges to escape confinement.
I think the issue here (and why this deserves a CVE) is not that the snap services can escape confinement due to this issue, but rather that the container management agents like dockerd are not able to effectively confine their own containers without Delegate=true. For example, I want to launch a docker container and there is some reasonable expectation on my part that dockerd is going to confine the container to not have the same privilege level as dockerd.
Regarding classic snaps, I think you are correct in that we should also do this for classic snaps like microk8s; I would need to look into it a bit, but theoretically those classic snaps would also suffer from the same problem since their processes are containers and they are also presumably put into different control groups than the container management agent.