Snap is not clear about partial strict confinement
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Snap does not clearly communicate to users about partial strict confinement on distributions which do not support all required confinement features. It should do so at multiple places:
* Installing a classic confined app results in an error message in the CLI and a warning in the Snap Store. Installing a strictly confined app on a distro which has partial support for this has similar security and privacy issues, but the user is not notified about this.
* The documentation about the benefits of confinement does not talk about partial strict confinement and there is not list about which distro's support strict and partial confinement.
This leads to dangerous situations where users think an app is restricted, but it isn't. WPS office is a common example for this. The snap store has multiple versions of WPS office with network access disabled because users might be worried about sensitive documents leaking to the internet.
source: https:/
| information type: | Private Security → Public Security |
| description: | updated |
| Maciej Borzecki (maciek-borzecki) wrote | #1 |
| Changed in snappy: | |
| status: | New → Confirmed |
| affects: | snappy → snapd |
We need to think how and when should any user facing information be displayed. Installation time is probably the right time to do it, so we do not risk breaking the application flow.