snapd fails to create a device cgroup for strict mode snaps that have no matching udev tagged devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Currently snap-confine within snapd will only create a device cgroup and hence implement this access control mechanism for snaps which plug/slot an interface that adds udev rules for a set of devices. As such, in the case that say AppArmor is not available or can be bypassed, there is no access control implemented for device files.
Instead, snap-confine should always create a device cgroup for all strict mode snaps.
It seems this change occurred in https:/
Am tagging this as security since it relates to sandboxing but as this is an additional hardening measure I do not think it qualifies as a security vulnerability in-and-of itself.
Hello Alex.
I know about this feature but when we last tried to change it, it was a breaking regression for a number of snaps that rely on this (mis)feature, including high-profile snaps like greengrass.