What should a 'strict' confinement snapcraft be able to access without any plugs?

Question

snapcraft 7.5.3 running on WSL2.

I created a very simple test snap package:

snapcraft.yaml:

name: testsnap
base: core22 
version: '0.1' 
summary: testsnap
description: |
  test

grade: stable
confinement: strict

parts:
  my-part:
    plugin: dump
    source: bin
    
apps:
  test:
    command: myecho
    plugs: []

As a test myecho reads the public key on the host machine.

#!/bin/sh
cat $SNAP_REAL_HOME/.ssh/id_rsa.pub

Since I don't have any plugs (eg. ssh-keys), I wouldn't have thought this should work.

However it happily outputs ssh-rsa AAAAB3......

As this is a test, I'm installing with --dangerous (which according to the docs I read shouldn't change confinement.)

 sudo snap install testsnap_0.1_amd64.snap --dangerous

Am I missing something simple? Or is this a WSL2 problem/limitation - if so I need to stop testing snaps on WSL2.

Answer 1

Snap uses AppArmor for confinement which is, at the time of writing, missing from WSL2 (as least by default)

Therefore testing snap packages using WSL2 isn't robust as confinement mistakes might be missed.

snap debug confinement can be run to check the snap environment. If it doesn't say strict then strict confinement isn't enforced. My WSL2 install says partial.