venerdì 22 luglio 2016

Using snap with confinement on Arch Linux


This week I was a guest on the Snappy Sprint in Heidelberg, hosted by Canonical, because I'm the maintainer of snaps packages on Arch Linux.

Actually with official packages on Arch Linux, you can only use snaps without confinement (aka you can only install packages in devmode) and this is bad for security since any snap is not confined and it can do (almost) anything it want.

The reason is that snap for confinement uses the ubuntu-patched version of apparmor not available in mainline kernel yet.

So this week I worked in order to port the apparmor patches to the linux-lts kernel so I create some AUR package in order to have confinement working.
I also had to make upstream fix some wierd bugs, eventually it was a complete success and confimenent works perfectly.

If you are curious and you want to do that, you just need to install snapd-confinement (and dependencies) from AUR.

If you don't want to spend lots of time compiling the kernel you can just use my repository. To do that just execute the following commands as root:
# Configure Arch Linux to use my repository
cat <<'EOF' >> /etc/pacman.conf
[tredaelli-snap]
SigLevel = Optional
Server = http://pkgbuild.com/~tredaelli/repo/snap/$arch
EOF

# Install needed packages
pacman -Syu snapd-confinement linux-lts-apparmor3

# Regenerate grub configuration
grub-mkconfig -o /boot/grub/grub.cfg

# Enable needed systemd services
systemctl enable apparmor snapd.apparmor snapd.socket

# (Optional) Enable snapd.refresh.timer to automatically update snaps
systemctl enable snapd.refresh.timer

# Reboot in order to use the new kernel
reboot
Known bugs:
If you use KDE, like I do, X-based snaps doesn't (actually) work since Xauthority file is in /tmp directory.

Meanwhile upstream fix the bug I reported, you can use my workaround.
Just create a script in ~/.config/plasma-workspace/env/fix_xauth.sh with the following text:
#!/bin/sh
if [ -n "$XAUTHORITY" -a "$XAUTHORITY" != "$HOME/.Xauthority" ]; then
    cp -f "$XAUTHORITY" "$HOME"/.Xauthority
    XAUTHORITY="$HOME"/.Xauthority
fi
Make it executable and reboot.