|
|
Log in / Subscribe / Register

Local root vulnerability in snap-confine

Local root vulnerability in snap-confine

Posted Feb 20, 2022 12:38 UTC (Sun) by smcv (subscriber, #53363)
In reply to: Local root vulnerability in snap-confine by Smon
Parent article: Local root vulnerability in snap-confine

Flatpak is designed for a narrower use-case than Snap, so it's willing to accept more restrictions on what it can do, and doesn't need to be as "powerful" as Snap. On one hand, this makes Snap useful in situations where Flatpak isn't; on the other hand, this means Flatpak developers can focus on the situations that it supports, and ignore the situations it doesn't.

In particular, when Flatpak developers encounter something that would be hard to implement securely, we are often able to declare it to be out-of-scope and not implement it at all, resulting in fewer attack vectors.

Flatpak is designed to sandbox "apps", with a meaning that is not 100% well-defined, but "programs that behave like an Android/iOS app" or "GUI programs with a .desktop file" are reasonable approximations. Snap is designed to sandbox "apps", but also non-"app" things like system services: you can install lxd as a Snap, but it would not be possible to install lxd as a Flatpak app.

I personally think that's a strength of Flatpak rather than a weakness, but it would be reasonable for Snap users/developers to disagree on that: neither approach is trivially better than the other.

to post comments

Local root vulnerability in snap-confine

Posted Feb 20, 2022 13:11 UTC (Sun) by smcv (subscriber, #53363) [Link] (1 responses)

Another reason why Snap needs root, but Flatpak usually does not, is that Snap uses an LSM (AppArmor) as part of its sandboxing but Flatpak does not.

As with the different scopes I described in my previous comment, this is a trade-off, and neither is trivially better than the other.

The fact that Snap uses AppArmor means it can rely on the LSM mechanism in the kernel, which is quite powerful, particularly if you are willing to patch the kernel (I believe Ubuntu's kernel patches to add SO_PEERSEC support to AppArmor still haven't gone upstream). If the kernel gives you information about a peer's LSM labels, then you can trust that information to be correct and securely obtained; and if a process is restricted by LSM policies, the kernel will forbid anything that those policies forbid, without needing to rely on other mechanisms like userns and seccomp as heavily as Flatpak does.

On the other hand, you need CAP_MAC_ADMIN (i.e. root) to manipulate AppArmor profiles, and if running on a distribution like Fedora that uses a different "big" LSM, or a distribution that doesn't compile any of the "big" LSMs into its kernel at all, then you're not going to be able to benefit from AppArmor at all.

Flatpak has gone for the approach that makes it work equally well on "most" distros, and give it an equal level of sandboxing on "most" distros even if installed as non-root. Snap has gone for the approach that is maximally powerful on e.g. Ubuntu, at the cost of working less well on non-Ubuntu and requiring root.

Local root vulnerability in snap-confine

Posted Feb 21, 2022 23:32 UTC (Mon) by Smon (guest, #104795) [Link]

@smcv: Thank you very much for your detailed insight. It was really interesting to me!


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds