Hello

I'd like to add set*id permissions used by snapd to the centrally tracked pool:

[   72s] snapd.x86_64: E: permissions-file-setuid-bit (Badness: 10000)
/usr/lib/snapd/snap-confine is packaged with setuid/setgid bits (06755)
[   72s] If the package is intended for inclusion in any SUSE product please
open a bug
[   72s] report to request review of the program by the security team. Please
refer to
[   72s]
https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   72s] more information.


You can find snapd in the system:snappy repository. The relevant source code is
is https://github.com/snapcore/snapd/tree/master/cmd/snap-confine and
https://github.com/snapcore/snapd/tree/master/cmd/libsnap-confine-private

The program, snap-confine, is set*id root to allow manipulation of apparmor,
device cgroup, freezer cgroup, pid cgroup and the mount namespace. It performs
essential setup and requests additional services from snap-update-ns (to
perform mount namespace initialization) as well as snap-device-helper (to
manipulate the device cgroup, in tandem with udev).

The program itself is confined with a dedicated apparmor profile to limit its
powers. The invocations of snap-update-ns are similarly using a dedicated
per-snap profile to precisely represent the set of mount operations that can
happen.

You can find both profiles in the snapd source code:
-
https://github.com/snapcore/snapd/blob/master/cmd/snap-confine/snap-confine.apparmor.in
-
https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/template.go#L590

I wrote about the operation of snap-confine on the snapcraft forum. The post is
slightly out of date (2.36 vs current 2.37.4) but the changes introduced since
are tiny and it still represents the best written down description of what
happens under the hood. You can find the post at
https://forum.snapcraft.io/t/snapd-2-36-snap-confine-logic-walkthrough/7843