Home / ubuntu / Questions / 1314921
Accepted
Mr. T
Asked: 2021-02-10 02:33:19 +0800 CST

Stop Snaps from accessing user home directory?

  • 772

I am trying to sandbox all my applications by default using firejail. Firejail doesn't support snap applications.

It appears that by default if requested by a snap, snapd will grant the snap read/write access to the user's home directory. This means that by default, if there is a vulnerability exploited in a "sandboxed" snap application with network access, it would be trivial for an attacker to grab all the files under $HOME including GPG keys, SSH keys, and of course the user's documents and other files.

Doing some online research lead me to being able to do a snap disconnect <snap>:<plug interface> <snap>:<slot interface> which in theory will block access to the home directory. Unfortunately this is an 'all or nothing' approach (no ability to define which folders in home to allow/deny) and must be applied to each snap individually after installation.

Is there a way to apply a "no $HOME access" policy by default to all snaps? If so, is there a way to allow access to some directories in $HOME while denying access to others? My understanding is that apparmor can't be used for this because of the way the snap containers are designed.

Alternate plan: Is there some trickery through which I could re-mount a portion of home (say /home/folderforsnaps) and trick the snaps into thinking that is the home directory?

snap

2 Answers

  1. Best Answer

    [I]t would be trivial for an attacker to grab all the files under $HOME

    1. Yes, and that's true for every poisoned non-Snap application ever written, too. Do feel free to help test Snaps for nefarious activity (it's a community, after all), and report any poisoned Snaps that you discover.

      A great place to discuss Snap security is the https://snapcraft.io forums. Drop by.

    2. snapd/AppArmor does indeed have partial protection for this particular attack: The home interface makes the contents of all hidden files (like ~/.ssh or ~/.thunderbird) unreadable.

      home allows access to non-hidden files owned by the user in the user’s home ($HOME) directory.

    Is there a way to apply a "no $HOME access" policy by default to all snaps?

    No. Each Snap's YAML file defines the access policy that Snap needs in order to function. A global policy would break Snaps that do need access to $HOME, precisely what the developers did not intend.

    Is there some trickery through which I could re-mount a portion of home (say /home/folderforsnaps) and trick the snaps into thinking that is the home directory?

    Sure: You could create an LXD container, bind-mount the portion of /home, then install the Snap into the container.

    Or you can simply run the Snap as a different user with a limited set of data in their /home.

    • 2

  2. You can use the following to view which snap packages use the home interface.

    snap interfaces :home

    Then, you can write a script to disconnect each snap package from this interface. Set SNAPLIST to the output that you got from above.

    SNAPLIST=snap1,snap2,snap3
for i in $(echo $SNAPLIST | sed "s/,/ /g")
do
    # call your procedure/other scripts here below
    snap disconnect ${i}:home :home
done
    • 1