Debian 13:
$ uname -r
6.12.88+deb13-amd64
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode
$ snap debug confinement
partial
$ aa-enabled
Yes
Ubuntu (24.04):
$ uname -r
6.8.0-117-generic
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode strict
$ snap debug confinement
strict
$ aa-enabled
Yes
What does this mean, you ask? Well, basically every Snap package you thought was running isolated in it’s own little sandbox were running unconfined the whole time. The prorpietary app you removed the :home connection from, so it wouldn’t be able to access your home directory? Well, it could have exfiltrated all our private files in the meantime.
How is this not a bigger deal and how are Snaps ever to become mainstream when even today, more than 10 years after the introduction of snaps, you can’t run them sandboxed on a huge portion of Linux distros?
i know that. i suggested the bug report because snaps themselves do report strict confinement even though snap debug doesn’t list that confinement option’s availability.
Uh yeah. That is more information… Sorry, I’m not that familiar with Snaps. It looks to my untrained eye a bit like the report on the Snap itself, maybe it advertises to support running in strict confinement. Which it could… but doesn’t do. (Alike the other channels, which you could install, but didn’t… It’s kind of buried with that kind of information.)
It’s confusing at least. And the user definitely wouldn’t expect it from that wording. So I’d view it as a separate bug as well. And dropping confinement without notice would be the third thing, I’d consider a bug.)