Snap is not clear about partial strict confinement

Bug #1887204 reported by Merlijn Sebrechts
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Snappy
Undecided
Unassigned

Bug Description

Snap does not clearly communicate to users about partial strict confinement on distributions which do not support all required confinement features. It should do so at multiple places:

* Installing a classic confined app results in an error message in the CLI and a warning in the Snap Store. Installing a strictly confined app on a distro which has partial support for this has similar security and privacy issues, but the user is not notified about this.
* The documentation about the benefits of confinement does not talk about partial strict confinement and there is not list about which distro's support strict and partial confinement.

This leads to dangerous situations where users think an app is restricted, but it isn't. WPS office is a common example for this. The snap store has multiple versions of WPS office with network access disabled because users might be worried about sensitive documents leaking to the internet.

source: https://forum.snapcraft.io/t/how-are-snaps-claiming-to-have-no-internet-plug-regulated/18755/22

information type: Private Security → Public Security
description: updated
Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

We need to think how and when should any user facing information be displayed. Installation time is probably the right time to do it, so we do not risk breaking the application flow.

Changed in snappy:
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers