Question

2

Stop Snaps from accessing user home directory?

rated 0 times [ 2] [ 0] / answers: 1 / hits: 541 / 2 Years ago, fri, june 17, 2022, 3:57:42

I am trying to sandbox all my applications by default using firejail. Firejail doesn't support snap applications.

It appears that by default if requested by a snap, snapd will grant the snap read/write access to the user's home directory. This means that by default, if there is a vulnerability exploited in a "sandboxed" snap application with network access, it would be trivial for an attacker to grab all the files under $HOME including GPG keys, SSH keys, and of course the user's documents and other files.

Doing some online research lead me to being able to do a snap disconnect <snap>:<plug interface> <snap>:<slot interface> which in theory will block access to the home directory. Unfortunately this is an 'all or nothing' approach (no ability to define which folders in home to allow/deny) and must be applied to each snap individually after installation.

Is there a way to apply a "no $HOME access" policy by default to all snaps? If so, is there a way to allow access to some directories in $HOME while denying access to others? My understanding is that apparmor can't be used for this because of the way the snap containers are designed.

Alternate plan: Is there some trickery through which I could re-mount a portion of home (say /home/folderforsnaps) and trick the snaps into thinking that is the home directory?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ditery

Add To Favorites

Follow

Total Points: 9

Total Questions: 116

Total Answers: 119

Location: Grenada

Member since Sun, Dec 20, 2020

3 Years ago

ditery questions

1 Flameshot does not work properly on Ubuntu 22.04.1 LTS

Sat, Oct 1, 22, 06:26, 2 Years ago

1 What is xserver-xorg-input-all and its purpose?

Thu, Jun 24, 21, 02:55, 3 Years ago

1 How to turn off laptop screen when lid is closed and connected to external monitor

Sat, Nov 20, 21, 01:34, 3 Years ago

1 What are my options to replace Gnome 3's Nautilus in the least intrusive way?

Mon, Dec 5, 22, 19:50, 1 Year ago

1 How can I clear apt-mark remove list?

Tue, May 31, 22, 01:21, 2 Years ago

View All

answered 2 Years ago ovierman · Accepted Answer

[I]t would be trivial for an attacker to grab all the files under $HOME

Yes, and that's true for every poisoned non-Snap application ever written, too. Do feel free to help test Snaps for nefarious activity (it's a community, after all), and report any poisoned Snaps that you discover.

A great place to discuss Snap security is the https://snapcraft.io forums. Drop by.

snapd/AppArmor does indeed have partial protection for this particular attack: The home interface makes the contents of all hidden files (like ~/.ssh or ~/.thunderbird) unreadable.

home allows access to non-hidden files owned by the user in the user’s home ($HOME) directory.

Is there a way to apply a "no $HOME access" policy by default to all snaps?

No. Each Snap's YAML file defines the access policy that Snap needs in order to function. A global policy would break Snaps that do need access to $HOME, precisely what the developers did not intend.

Is there some trickery through which I could re-mount a portion of home (say /home/folderforsnaps) and trick the snaps into thinking that is the home directory?

Sure: You could create an LXD container, bind-mount the portion of /home, then install the Snap into the container.

Or you can simply run the Snap as a different user with a limited set of data in their /home.