Ubuntu – Security of snaps under X11

16.04snap

With snaps coming to 16.04 LTS, there is a blog post by Matthew Garrett, a well known Linux kernel contributor and core OS developer, saying:

…snaps are running unconfined and have access to pretty much the entire system

If the point of having snaps was to enforce app isolation from the whole system, why are they able to access the system and run unconfined? Should a bug report be filed? Are any steps going to be taken to address this problem?

Best Answer

This specifically relates to snaps that use X11. In other words, snaps are not running unconfined, but if the confinement of the snap includes access to X, then yeah: it has access to X. It does not involve snaps that don't use the unity7 or x11 interfaces. The issue described in that blog post is a well-known limitation of X, and is one of the reasons alternative technologies are being developed (e.g. Mir).

Gustavo Niemeyer has written a good blog post that discusses this. I'll quote here for posterity and completeness:

The security minded will observe that X11 is not in fact a secure protocol. A number of system abuses are possible when we hand an application this permission. Other interfaces such as home would give the snap access to every non-hidden file in the user’s $HOME directory (those that do not start with a dot), which means a malicious application might steal personal information and send it over the network (assuming it also defines a network plug).

Some might be surprised that this is the case, but this is a misunderstanding about the role of snaps and Snappy as a software platform. When you install software from the Ubuntu archive, that’s a statement of trust in the Ubuntu and Debian developers. When you install Google’s Chrome or MongoDB binaries from their respective archives, that’s a statement of trust in those developers (these have root on your system!). Snappy is not eliminating the need for that trust, as once you give a piece of software access to your personal files, web camera, microphone, etc, you need to believe that it won’t be using those allowances maliciously.

The point of Snappy’s confinement in that picture is to enable a software ecosystem that can control exactly what is allowed and to whom in a clear and observable way, in addition to the same procedural care that we’ve all learned to appreciate in the Linux world, not instead of it. Preventing people from using all relevant resources in the system would simply force them to use that same software over less secure mechanisms instead of fixing the problem.

And what we have today is just the beginning. These interfaces will soon become much richer and more fine grained, including resource selection (e.g. which serial port?), and some of them will disappear completely in favor of more secure choices (Unity 8, for instance).

Related Question