http://bugzilla.opensuse.org/show_bug.cgi?id=1127368 Bug ID: 1127368 Summary: AUDIT-0: snapd: add set*id permissions related to snapd (/usr/lib/snapd/snap-confine) Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: bnc-team-screening@forge.provo.novell.com Reporter: me@zygoon.pl QA Contact: bnc-team-screening@forge.provo.novell.com Found By: --- Blocker: --- Hello I'd like to add set*id permissions used by snapd to the centrally tracked pool: [ 72s] snapd.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/snapd/snap-confine is packaged with setuid/setgid bits (06755) [ 72s] If the package is intended for inclusion in any SUSE product please open a bug [ 72s] report to request review of the program by the security team. Please refer to [ 72s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 72s] more information. You can find snapd in the system:snappy repository. The relevant source code is is https://github.com/snapcore/snapd/tree/master/cmd/snap-confine and https://github.com/snapcore/snapd/tree/master/cmd/libsnap-confine-private The program, snap-confine, is set*id root to allow manipulation of apparmor, device cgroup, freezer cgroup, pid cgroup and the mount namespace. It performs essential setup and requests additional services from snap-update-ns (to perform mount namespace initialization) as well as snap-device-helper (to manipulate the device cgroup, in tandem with udev). The program itself is confined with a dedicated apparmor profile to limit its powers. The invocations of snap-update-ns are similarly using a dedicated per-snap profile to precisely represent the set of mount operations that can happen. You can find both profiles in the snapd source code: - https://github.com/snapcore/snapd/blob/master/cmd/snap-confine/snap-confine.... - https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/template.g... I wrote about the operation of snap-confine on the snapcraft forum. The post is slightly out of date (2.36 vs current 2.37.4) but the changes introduced since are tiny and it still represents the best written down description of what happens under the hood. You can find the post at https://forum.snapcraft.io/t/snapd-2-36-snap-confine-logic-walkthrough/7843 -- You are receiving this mail because: You are on the CC list for the bug.