Security of snaps under X11
Solution 1:
This specifically relates to snaps that use X11. In other words, snaps are not running unconfined, but if the confinement of the snap includes access to X, then yeah: it has access to X. It does not involve snaps that don't use the unity7
or x11
interfaces. The issue described in that blog post is a well-known limitation of X, and is one of the reasons alternative technologies are being developed (e.g. Mir).
Gustavo Niemeyer has written a good blog post that discusses this. I'll quote here for posterity and completeness:
The security minded will observe that X11 is not in fact a secure protocol. A number of system abuses are possible when we hand an application this permission. Other interfaces such as home would give the snap access to every non-hidden file in the user’s $HOME directory (those that do not start with a dot), which means a malicious application might steal personal information and send it over the network (assuming it also defines a network plug).
Some might be surprised that this is the case, but this is a misunderstanding about the role of snaps and Snappy as a software platform. When you install software from the Ubuntu archive, that’s a statement of trust in the Ubuntu and Debian developers. When you install Google’s Chrome or MongoDB binaries from their respective archives, that’s a statement of trust in those developers (these have root on your system!). Snappy is not eliminating the need for that trust, as once you give a piece of software access to your personal files, web camera, microphone, etc, you need to believe that it won’t be using those allowances maliciously.
The point of Snappy’s confinement in that picture is to enable a software ecosystem that can control exactly what is allowed and to whom in a clear and observable way, in addition to the same procedural care that we’ve all learned to appreciate in the Linux world, not instead of it. Preventing people from using all relevant resources in the system would simply force them to use that same software over less secure mechanisms instead of fixing the problem.
And what we have today is just the beginning. These interfaces will soon become much richer and more fine grained, including resource selection (e.g. which serial port?), and some of them will disappear completely in favor of more secure choices (Unity 8, for instance).
Solution 2:
The problem is not with snaps, but with X11, which is 30 year old technology designed without much security considerations.
To "address the problem" you simply need to get rid of X11. System without it, such as servers, can benefit from snaps isolation right now. The new Mir that will replace xserver, hopefully sooner rather then later, is supposed to address the security problems of X11.
You are more then welcome to read Matthew Garrett's blog post to satisfy your curiousity. It says:
The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security.