Ubuntu 22.04 security – Snap, Flatpak, AppArmor, UbuntuPro

Hello PrivacyGuides folks!

I would like to ask you a couple questions concerning Ubuntu from purely security perspective. I recently read the following article:

Strong support for Snap and Ubuntu Core as Canonical meet IRL

There are particular passages which I would like to mention:

“Snaps are isolated using three different mechanisms: AppArmor, seccomp and namespaces. The combination means that even if a snap apps is run from the root account, then bugs aside it can’t escape the confinement.”

“There is a significant caveat, though: snapd’s AppArmor isolation mechanism is not present on all of those distros, with many favouring the rival SELinux. When AppArmor is absent, snap confinement is significantly weaker.”

As far as I understand, the security of Snaps is because they are isolated by using AppArmor, seccomp and namespaces. However, when AppArmor is absent, Snap confinement is significantly weaker. Moreover, it is not possible to use simultaneously both AppArmor and SELinux. Having said that, my broader questions are:

  1. Is it secure enough to install Flatpak on Ubuntu 22.04 compared to the default Snap integration, given that I already use snaps and more precisely, how could I achieve higher level of isolation of Flatpak?

  2. Would I be able to take advantage of AppArmor, seccomp and namespaces when I use Flatpak on Ubuntu 22.04 and how could I achieve it – is it done automatically when AppArmor is turned on or I have create certain profile? How about the seccomp and namespaces?

  3. Are there any known issues when implementing certain CIS benchmark through UbuntuPro when it comes to Flatpak?

Thank you!

I think if you want to use Ubuntu, it should make more sense to use snaps exclusively.

Also, Ubuntu Pro doesn’t make any real sense for a desktop end user. Its real advantage is for server deployments in which you don’t want to muck around with a dist-upgrade and risk breaking stuff in the server and losing service availability. If nuke and pave is an optional solution to fix your stuff, you should probably just use the latest available Ubuntu and not stay with older LTS versions (which Ubuntu Pro will provide security updates for 10 years instead of the regular 5).

If you really want to use flatpaks and take advantage of proper sandboxing like how Android does it, use Fedora Silverblue.