Confinement methods and white/blacklist directories


I’m new to snaps and have a more general question to understand the snap confinement model. I’m simplifying here but basically there are two main categories of attacks: 1. Attacks that try to hijack ones hardware (e.g. crypto miner, aso) 2. Attacks that try to hijack one’s data (e.g. ransomware).

I’d like to focus on (2) for now. As far as I understood for Snap apps, a user can only choose if an app has access to the entire home folder or not.

Is it possible to blacklist or whitelist certain directories, as otherwise one is not really protected against attacks of category 2? What is the influence of the different confinement methods (strict, classic) for threats of category 2?


  • Chromium snap: to protect against zero-days in chromium it should only have access to the Downloads folder. There is no need for it to have access to the rest of my home folder.
  • An office software should only have access to Documents so that if it gets hijacked (e.g. through a malicious file) it cannot access all files.

Thanks for your help! I quite like the concepts of snaps as a user and as a developer and would like to understand better how it works. :smiley: