venerdì 22 luglio 2016

Using snap with confinement on Arch Linux

This week I was a guest on the Snappy Sprint in Heidelberg, hosted by Canonical, because I'm the maintainer of snaps packages on Arch Linux.

Actually with official packages on Arch Linux, you can only use snaps without confinement (aka you can only install packages in devmode) and this is bad for security since any snap is not confined and it can do (almost) anything it want.

The reason is that snap for confinement uses the ubuntu-patched version of apparmor not available in mainline kernel yet.

So this week I worked in order to port the apparmor patches to the linux-lts kernel so I create some AUR package in order to have confinement working.
I also had to make upstream fix some wierd bugs, eventually it was a complete success and confimenent works perfectly.

If you are curious and you want to do that, you just need to install snapd-confinement (and dependencies) from AUR.

If you don't want to spend lots of time compiling the kernel you can just use my repository. To do that just execute the following commands as root:
# Configure Arch Linux to use my repository
cat <<'EOF' >> /etc/pacman.conf
SigLevel = Optional
Server =$arch

# Install needed packages
pacman -Syu snapd-confinement linux-lts-apparmor3

# Regenerate grub configuration
grub-mkconfig -o /boot/grub/grub.cfg

# Enable needed systemd services
systemctl enable apparmor snapd.apparmor snapd.socket

# (Optional) Enable snapd.refresh.timer to automatically update snaps
systemctl enable snapd.refresh.timer

# Reboot in order to use the new kernel
Known bugs:
If you use KDE, like I do, X-based snaps doesn't (actually) work since Xauthority file is in /tmp directory.

Meanwhile upstream fix the bug I reported, you can use my workaround.
Just create a script in ~/.config/plasma-workspace/env/ with the following text:
if [ -n "$XAUTHORITY" -a "$XAUTHORITY" != "$HOME/.Xauthority" ]; then
    cp -f "$XAUTHORITY" "$HOME"/.Xauthority
Make it executable and reboot.

1 commento:

  1. A suggestion:

    A snap meta package for your KDE (and other DEs after that)

    And making an arch / any DE/s "snapped" (and or "flatpacked" when it will come) distro.

    Perhaps with calamares as installer.

    Snaparch or Archsnap or whatever new name you can give it.

    Now you cannot have installed at the same time all the DEs and WMs for education, kiosk or show purposes and with snaps there will be a way of being able to have all of them in one install without collisions.