Your message dated Wed, 24 Feb 2021 09:48:43 +0000 with message-id <e1leqmh-000imn...@fasolo.debian.org> and subject line Bug#923500: fixed in snapd 2.49-1 has caused the Debian Bug report #923500, regarding snapd: non-classic snap not confined to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 923500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: snapd Version: 2.37.3-1 Severity: important Dear Maintainer, I just started experimenting with snaps and noticed my (pretty vanilla) installation is silently not confining snaps. E.g.: $ snap install hello-world 2019-03-01T00:20:19+01:00 INFO Waiting for restart... hello-world 6.3 from Canonical✓ installed $ snap run --shell hello-world $ ls / bin boot ... Since the hello-world snap has no interfaces, I'd expect it to deny access to / (like in snap's tutorial), but this is not the case. Neither installation nor running the command (or its shell) give off any indication something might be wrong I'm an AppArmor newbie, but the generated profile (attached) seems a bit too permissive. That is generated and loaded by snap itself, right? Here's some further debug info. I imagine the lack of "strict" is the problem, but it's not obvious to me why snap cannot enable it. ---------------------- $ snap debug confinement partial $ snap debug sandbox-features apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:downgraded support-level:partial confinement-options: classic devmode dbus: mediated-bus-access kmod: mediated-modprobe mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation seccomp: bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap udev: device-cgroup-v1 tagging ------------------------ Setting severity to important because I'd argue this is a security breach: the expectation of confinement is silently not met, potentialy leading to information leakage. Cheers, Leo -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages snapd depends on: ii adduser 3.118 ii apparmor 2.13.2-9 ii ca-certificates 20190110 ii gnupg 2.2.12-1 ii libapparmor1 2.13.2-9 ii libc6 2.28-7 ii libcap2 1:2.25-2 ii libseccomp2 2.3.3-4 ii libudev1 241-1 ii openssh-client 1:7.9p1-7 ii squashfs-tools 1:4.3-11 ii systemd 241-1 ii udev 241-1 Versions of packages snapd recommends: ii gnupg 2.2.12-1 Versions of packages snapd suggests: ii zenity 3.30.0-2 -- no debconf information#include <tunables/global> # This is a snap name without the instance key @{SNAP_NAME}="hello-world" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="hello-world" @{SNAP_REVISION}="27" @{PROFILE_DBUS}="snap_2ehello_2dworld_2ehello_2dworld" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.hello-world.hello-world" (attach_disconnected,mediate_deleted) { # set file rules so that exec() inherits our profile unless there is # already a profile for it (eg, snap-confine) / rwkl, /** rwlkm, /** pix, capability, change_profile unsafe /**, dbus, network, mount, remount, umount, pivot_root, ptrace, signal, unix, }
--- End Message ---
--- Begin Message ---Source: snapd Source-Version: 2.49-1 Done: Michael Vogt <michael.v...@ubuntu.com> We believe that the bug you reported is fixed in the latest version of snapd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 923...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Vogt <michael.v...@ubuntu.com> (supplier of updated snapd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 24 Feb 2021 09:23:51 +0100 Source: snapd Architecture: source Version: 2.49-1 Distribution: unstable Urgency: high Maintainer: Michael Hudson-Doyle <mwhud...@debian.org> Changed-By: Michael Vogt <michael.v...@ubuntu.com> Closes: 923500 Launchpad-Bugs-Fixed: 1910456 Changes: snapd (2.49-1) unstable; urgency=high . * New upstream release with security updates: * SECURITY UPDATE: sandbox escape vulnerability for containers (LP: #1910456) - many: add Delegate=true to generated systemd units for special interfaces - interfaces/greengrass-support: back-port interface changes to 2.48 - CVE-2020-27352 * interfaces/builtin/docker-support: allow /run/containerd/s/... - This is a new path that docker 19.03.14 (with a new version of containerd) uses to avoid containerd CVE issues around the unix socket. See also CVE-2020-15257. * debian/patches/0013-cherry-pick-pr9936.patch: - cherry pick PR#9936 to use all apparmor available (closes: 923500) * d/p/0011-cherry-pick-pr9809, d/p/0012-cherry-pick-pr9844: - dropped, applied upstream Checksums-Sha1: e7ad0a807e1208e76ed8568767a76e5c34087a8e 3535 snapd_2.49-1.dsc 1722701371619404e2a832af12df8c768fb2849c 5032853 snapd_2.49.orig.tar.gz 60400574741b7ed9144a4f891dd3ae9583a371ce 95180 snapd_2.49-1.debian.tar.xz d461763888e39155022118492a3c9890d3a0c562 15940 snapd_2.49-1_source.buildinfo Checksums-Sha256: fe8ff1e17b9faa22d2069c3b44a5e061d38f1024236b1dfd080e6a4d1d1811cb 3535 snapd_2.49-1.dsc 8da73f19017bc129d4ee444c90993445a1748e63d6a3cf5192aac1fa3ecac9f8 5032853 snapd_2.49.orig.tar.gz b20d266cef1aa854f4fd276d6ba0e1776b5749439ac3e76fd2a3874d444c82b4 95180 snapd_2.49-1.debian.tar.xz 17a665b8bf39053c1677b6d54519fe09466831bdb7b832e66dc58745bf851b96 15940 snapd_2.49-1_source.buildinfo Files: 3504eee0076881e803ff0dc9c98e193b 3535 devel optional snapd_2.49-1.dsc 5dbcaccd61d1844434397e5f83222996 5032853 devel optional snapd_2.49.orig.tar.gz 983abe03e6c488a51683a1d4b65d0529 95180 devel optional snapd_2.49-1.debian.tar.xz 14f56b01ac192bbeb11d80b7d4a6b4e7 15940 devel optional snapd_2.49-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2mxnVNiIdibNBqEomMq7Or1MpZ4FAmA2E74ACgkQmMq7Or1M pZ5VfA//TG+cAZDAOPQ9CufFgwTyk2smujh0jnmzW2gT7E9L1hoVWsGVdMWqnWhE 4TS3Z94jf+r7XUA61mZxDHjexYP1GLEdusJwn2j5slc1Y4O97z/fxmfISqL40J/z ft3YAOBLNqEjCJpScveLfDXmL2eSD//+rHBDWtjNd6w+/7VonRFYwhKM044JnaNe UOF4gU/bryTfts78z3kWPeWIBx2DqG2Z0Bx/SQJa81oYMwmFN6GrJMgtm0tNXH+t 1FMnFBUV99OOKaVUdT2ua+pLu+O8McdZ1J529Km/HYCxEOMeYv2GBCGpJsN5zvUD 9IaCrFG7qGr28rdd7e1VnDA3gvQoRV7zlRHJ/jCzqSVjHmqhyR9k0LAUrzy7Nx6A PW9Y8hL/Hm6Rqq8lFMM1GRArq91lkMEPSliHyO6vz0WO29K/31rXFkOMlURxaJGZ kkF9VlOUyZyzv01Hhmo/C0g48jh+VBkPuvM/WJpL+CCX0WQjmfmRGJfKpeRnI7kb I9ya0NSAYSM9TozNRldCwCuNLCMBADaxgDhiV3d0U+a+mDYBg3oOTFhTZnO5EXGW tZtaEAZc5YZoxXjwrhPFXCqbyn3ipO/fO28pl5yfqF/CoCaQGt+TsAWKE20qisSh y34s8iYgoNtEX4vSv39tlTJli8fu8zLhJ7re+wNdQJU7+ddqZ1I= =6ao7 -----END PGP SIGNATURE-----
--- End Message ---
