Hello PrivacyGuides folks!
I would like to ask you a couple questions concerning Ubuntu from purely security perspective. I recently read the following article:
Strong support for Snap and Ubuntu Core as Canonical meet IRL
There are particular passages which I would like to mention:
“Snaps are isolated using three different mechanisms: AppArmor, seccomp and namespaces. The combination means that even if a snap apps is run from the root account, then bugs aside it can’t escape the confinement.”
“There is a significant caveat, though: snapd’s AppArmor isolation mechanism is not present on all of those distros, with many favouring the rival SELinux. When AppArmor is absent, snap confinement is significantly weaker.”
As far as I understand, the security of Snaps is because they are isolated by using AppArmor, seccomp and namespaces. However, when AppArmor is absent, Snap confinement is significantly weaker. Moreover, it is not possible to use simultaneously both AppArmor and SELinux. Having said that, my broader questions are:
-
Is it secure enough to install Flatpak on Ubuntu 22.04 compared to the default Snap integration, given that I already use snaps and more precisely, how could I achieve higher level of isolation of Flatpak?
-
Would I be able to take advantage of AppArmor, seccomp and namespaces when I use Flatpak on Ubuntu 22.04 and how could I achieve it – is it done automatically when AppArmor is turned on or I have create certain profile? How about the seccomp and namespaces?
-
Are there any known issues when implementing certain CIS benchmark through UbuntuPro when it comes to Flatpak?
Thank you!