![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Circumventing Ubuntu Snap confinement
Ubuntu 16.04 was released today, with one of the highlights being the new Snap package format. Snaps are intended to make it easier to distribute applications for Ubuntu - they include their dependencies rather than relying on the archive, they can be updated on a schedule that's separate from the distribution itself and they're confined by a strong security policy that makes it impossible for an app to steal your data.
At least, that's what Canonical assert. It's true in a sense - if you're using Snap packages on Mir (ie, Ubuntu mobile) then there's a genuine improvement in security. But if you're using X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.
The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security. Mir and Wayland both fix this, which is why Wayland is a prerequisite for the sandboxed xdg-app design.
I've produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it's in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy . An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that's not going to respect your privacy.
The Snap format provides a lot of underlying technology that is a great step towards being able to protect systems against untrustworthy third-party applications, and once Ubuntu shifts to using Mir by default it'll be much better than the status quo. But right now the protections it provides are easily circumvented, and it's disingenuous to claim that it currently gives desktop users any real security.
At least, that's what Canonical assert. It's true in a sense - if you're using Snap packages on Mir (ie, Ubuntu mobile) then there's a genuine improvement in security. But if you're using X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.
The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security. Mir and Wayland both fix this, which is why Wayland is a prerequisite for the sandboxed xdg-app design.
I've produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it's in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy . An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that's not going to respect your privacy.
The Snap format provides a lot of underlying technology that is a great step towards being able to protect systems against untrustworthy third-party applications, and once Ubuntu shifts to using Mir by default it'll be much better than the status quo. But right now the protections it provides are easily circumvented, and it's disingenuous to claim that it currently gives desktop users any real security.
no subject
(Anonymous) 2016-04-22 03:58 am (UTC)(link)no subject
(Anonymous) 2016-04-22 04:06 am (UTC)(link)no subject
(Anonymous) 2016-04-22 05:44 am (UTC)(link)"Your snap has now been uploaded to the store, and is now undergoing an automated review. You'll be emailed when the review has completed, at which time you can visit the MyApps site and publish your snap!"
I suppose bypassed with
" Note that if you uploaded a new version for an already-published snap, your update will be automatically published."
no subject
(Anonymous) 2016-04-22 08:51 am (UTC)(link)while all uploads are always automatically reviewed, the first publishing is a manual step to make sure you don't put something live by accident.
no subject
(Anonymous) 2016-04-24 07:55 am (UTC)(link)no subject
(Anonymous) 2016-04-24 05:01 pm (UTC)(link)no subject
no subject
(Anonymous) 2016-04-22 11:51 am (UTC)(link)no subject
(Anonymous) 2016-04-22 07:35 pm (UTC)(link)wasted reading
(Anonymous) 2016-05-02 02:43 am (UTC)(link)running click on x is no different. its merely a new format waiting for mir which will fix this old x problem. its also a wonderful concept i intend to implement with tcl scripts.
and im not even evil or teddy..
Re: wasted reading
(Anonymous) 2016-05-02 03:08 pm (UTC)(link)What is new news is that canonical claims (linked under the word "claim" in this post) "snap applications are isolated from the rest of the system. Users can install a snap without having to worry whether it will have an impact on their other apps or their system". This is misleading. So thank you, Matthew, for bringing attention to this!