© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
My memory is definitely rusty on this but please review snap-confine logic with regards to how cgroup v1 device behaves: in absence of tagging it is a permissive model, with tags, that are happening dynamically at runtime, you get non-permissive mode with specific exceptions that are allowed.
There is nothing in the code to react to udev events to update existing sandbox for running processes. This is equally true of dynamic connect/disconnect of snap interfaces. Apparmor is altered in-place but device group does not.
This can create the situation where apparmor allows something broad, relying on udev tagging that didn't happen.
In my past approach I was trying to get so that new program would run some new logic in response to udev tagging events, so that the sandbox would behave consistently.