This week I was a guest on the Snappy Sprint in Heidelberg, hosted by Canonical, because I'm the maintainer of snaps packages on Arch Linux.
Actually with official packages on Arch Linux, you can only use snaps without confinement (aka you can only install packages in devmode) and this is bad for security since any snap is not confined and it can do (almost) anything it want.
The reason is that snap for confinement uses the ubuntu-patched version of apparmor not available in mainline kernel yet.
So this week I worked in order to port the apparmor patches to the linux-lts kernel so I create some AUR package in order to have confinement working.
I also had to make upstream fix some wierd bugs, eventually it was a complete success and confimenent works perfectly.
If you are curious and you want to do that, you just need to install snapd-confinement (and dependencies) from AUR.
If you don't want to spend lots of time compiling the kernel you can just use my repository. To do that just execute the following commands as
# Configure Arch Linux to use my repository cat <<'EOF' >> /etc/pacman.conf [tredaelli-snap] SigLevel = Optional Server = http://pkgbuild.com/~tredaelli/repo/snap/$arch EOF # Install needed packages pacman -Syu snapd-confinement linux-lts-apparmor3 # Regenerate grub configuration grub-mkconfig -o /boot/grub/grub.cfg # Enable needed systemd services systemctl enable apparmor snapd.apparmor snapd.socket # (Optional) Enable snapd.refresh.timer to automatically update snaps systemctl enable snapd.refresh.timer # Reboot in order to use the new kernel rebootKnown bugs:
If you use KDE, like I do, X-based snaps doesn't (actually) work since Xauthority file is in /tmp directory.
Meanwhile upstream fix the bug I reported, you can use my workaround.
Just create a script in
~/.config/plasma-workspace/env/fix_xauth.shwith the following text:
#!/bin/sh if [ -n "$XAUTHORITY" -a "$XAUTHORITY" != "$HOME/.Xauthority" ]; then cp -f "$XAUTHORITY" "$HOME"/.Xauthority XAUTHORITY="$HOME"/.Xauthority fiMake it executable and reboot.