Created attachment 670580 [details] emerge --info When running `snap list` without any apps installed, it suggests to install "hello-world", which I did. This provides a command `hello-world.evil`, which is supposed to not succeed due to the confinement of a snap package. However: --- qsx@neptun ~ % hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next If you see this line the confinement is not working correctly, please file a bug qsx@neptun ~ % cat /var/lib/snapd/snap/hello-world/current/bin/evil #!/bin/sh set -e echo "Hello Evil World!" echo "This example demonstrates the app confinement" echo "You should see a permission denied error next" echo "Haha" > /var/tmp/myevil.txt echo "If you see this line the confinement is not working correctly, please file a bug" qsx@neptun ~ % cat /var/tmp/myevil.txt Haha --- I have no idea why this does not work as intended, as nothing complained about any error, e.g. kernel options which should be set.
It happens to me too. In journalctl -u snapd.service log it looks like it went into devmode: > Nov 08 23:57:00 hostname systemd[1]: Starting Snap Daemon... > Nov 08 23:57:00 hostname snapd[248914]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network > Nov 08 23:57:00 hostname snapd[248914]: daemon.go:343: started snapd/2.47.1 (series 16; classic; devmode) gentoo/ (amd64) linux/5.4.72-1020-x86_64.
There's a ForceDevMode function that triggers it based on apparmor and cgroup assessments: https://github.com/snapcore/snapd/blob/2.47.1/sandbox/forcedevmode.go#L34 The apparmor assessment happens here: https://github.com/snapcore/snapd/blob/2.47.1/sandbox/apparmor/apparmor.go#L207 The cgroup assessment happens in the IsUnified function here, if it returns true for cgroup v2 then that triggers devmode: https://github.com/snapcore/snapd/blob/2.47.1/sandbox/cgroup/cgroup.go#L98
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9199f894abc83596ae63ebc48a73e0af354d5f40 commit 9199f894abc83596ae63ebc48a73e0af354d5f40 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-11-10 11:29:48 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-11-10 11:35:43 +0000 app-emulation/snapd: 2.47.1-r1 revbump for bug 753695 Add USE=forced-devmode which can be disabled if you would like snapd to panic if its confinement feature detection fails. Bug: https://bugs.gentoo.org/753695 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/snapd/files/README.gentoo | 9 +++++++++ app-emulation/snapd/metadata.xml | 6 ++++++ .../snapd/{snapd-2.47.1.ebuild => snapd-2.47.1-r1.ebuild} | 12 +++++++++--- 3 files changed, 24 insertions(+), 3 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d8dfef3a6de92ef0b63c0cb5e4b93a328b29ce2 commit 0d8dfef3a6de92ef0b63c0cb5e4b93a328b29ce2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-11-10 11:39:14 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-11-10 11:39:36 +0000 app-emulation/snapd: Add apparmor REQUIRED_USE for !forced-devmode Bug: https://bugs.gentoo.org/753695 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/snapd/snapd-2.47.1-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
