I would like to ask you a couple questions concerning Ubuntu from purely security perspective. I recently read the following article:
Strong support for Snap and Ubuntu Core as Canonical meet IRL
There are particular passages which I would like to mention:
“Snaps are isolated using three different mechanisms: AppArmor, seccomp and namespaces. The combination means that even if a snap apps is run from the root account, then bugs aside it can’t escape the confinement.”
“There is a significant caveat, though: snapd’s AppArmor isolation mechanism is not present on all of those distros, with many favouring the rival SELinux. When AppArmor is absent, snap confinement is significantly weaker.”
As far as I understand, the security of Snaps is because they are isolated by using AppArmor, seccomp and namespaces. However, when AppArmor is absent, Snap confinement is significantly weaker. Moreover, it is not possible to use simultaneously both AppArmor and SELinux. Having said that, my broader questions are:
Is it secure enough to install Flatpak on Ubuntu 22.04 compared to the default Snap integration, given that I already use snaps and more precisely, how could I achieve higher level of isolation of Flatpak?
Would I be able to take advantage of AppArmor, seccomp and namespaces when I use Flatpak on Ubuntu 22.04 and how could I achieve it – is it done automatically when AppArmor is turned on or I have create certain profile? How about the seccomp and namespaces?
Are there any known issues when implementing certain CIS benchmark through UbuntuPro when it comes to Flatpak?
I think if you want to use Ubuntu, it should make more sense to use snaps exclusively.
Also, Ubuntu Pro doesn’t make any real sense for a desktop end user. Its real advantage is for server deployments in which you don’t want to muck around with a dist-upgrade and risk breaking stuff in the server and losing service availability. If nuke and pave is an optional solution to fix your stuff, you should probably just use the latest available Ubuntu and not stay with older LTS versions (which Ubuntu Pro will provide security updates for 10 years instead of the regular 5).
If you really want to use flatpaks and take advantage of proper sandboxing like how Android does it, use Fedora Silverblue.
I know this is an old discussion and that is why I want to confirm the direction here. Does it still recommended to adopt Snaps because of AppArmor in Ubuntu (Kubuntu)?
Snaps are Ubuntu’s preferred packaging format, even for some kernel-level stuff, so it can make sense to stick with it, considering often better maintenance than APT/deb-packages on Ubuntu and you get at least a bit of confinement with non-classic Snaps
This was a new information to me. It seems that worth using only in case that strictly confined is in place like you mentioned, where AppArmor and cgroups v1 are used to facilitate sandboxing.
I guess I’ll have to find a way to identify this.
It was disappointed to learn/hear that Firejail is somewhat not very reliable.
Yeah, it seems that if I have an option to install Firefox for example with the strictly confined snap package it may be better than going with the flatpack installation for security reasons, not sure about the privacy as we understand the intrusion of the cloud host from Canonical.
I guess I’ll have to find a way to identify this [whether strict confinement is enabled]
I’m not super knowledgeable about snap but I think these 3 commands would be a place to start:
snap info --verbose <package_name> | grep confinement
If I understand correctly, if the above command returns confinement: strict that snap package is configured for strict confinement.
And the two commands below, don’t give you info about the snap package, they give you info about your system. The first tells you the confinement mode your system is operating in and and the second tells you what sandbox/confinement features are available on your system. At least that is my understanding based on man snap and a couple supplemental sources.
The Ubuntu GUI for downloading snaps, “App Center”, shows confinement status prominently. However, it doesn’t detail which files/permissions are allowed.
