Documentation of /var/lib/snapd/hostfs

Lin-Buo-Ren · September 6, 2018, 5:59am

As title, I’d like to know what its purpose but can’t find the documentation, any pointers?

Lin-Buo-Ren · September 13, 2018, 9:48am

Bumping topic…

ijohnson · September 13, 2018, 2:20pm

As part of the setup sequence for running a snap on a classic system, a new mount namespace is setup for the snap when it is first run (this also can be setup if it’s run again after the namespace has been discarded by /usr/lib/snapd/snap-discard-ns). The first step is to mount the rootfs snap (currently the core snap, but could be any base snap) file as “/”, so that the snap’s rootfs shows up as the core snap (or the specified base snap). After setting this up, a pivot_root is executed to enter the new rootfs (this is similar to a chroot if you’re more familiar with that), and part of how pivot_root works is that when you go into a new root, pivot_root needs to put the oldroot somewhere, and so for snaps, the oldroot parameter gets set to /var/lib/snapd/hostfs. This way files from the original filesystem don’t “disappear”. Then to prevent snaps from accessing all the host’s files through this path, access to /var/lib/snapd/hostfs is mediated through AppArmor to prevent accessing those files (but in some cases access is allowed, i.e. for getting NVIDIA GPU drivers, but it’s very specific what’s allowed). However as a proof of concept, you can use a utility called nsenter to peek at what the namespaces the snap is setup with and look at this /var/lib/snapd/hostfs, but notably without any of the confinement of snapd. First start a process confined by snap-confine and get it’s pid:

$ snap run --shell hello-world.hello-world
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ echo $BASHPID
15255

Now we enter the same mount namespace with nsenter (note the --all option doesn’t appear to exist on xenial):

$ sudo nsenter -t 15255 --all
-bash: /usr/bin/locale-check: No such file or directory
# ls /meta/snap.yaml 
/meta/snap.yaml
# cat /meta/snap.yaml 
name: core
version: 16-2.35.2
summary: snapd runtime environment
description: The core runtime environment for snapd
type: os
architectures:
- amd64
confinement: strict
grade: stable
# ls /var/lib/snapd/hostfs/    
bin    dev         home            lib    libx32      mnt   root  snap      sys  var
boot   etc         initrd.img      lib32  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  initrd.img.old  lib64  media       proc  sbin  swapfile  usr  vmlinuz.old
# ls /
bin   dev  home  lib64  meta  opt   root  sbin  srv  tmp  var
boot  etc  lib   media  mnt   proc  run   snap  sys  usr  writable

Also see the README on snap-confine’s mount namespaces here

Lin-Buo-Ren · September 13, 2018, 2:28pm

Thanks for the explanation! Fully appreciated!

ogra · September 13, 2018, 2:31pm

While Ians explanation is really excellent, I really don’t think such deep technical implementation details belong in the documentation though.

/var/lib/snapd/hostfs is nothing you should ever touch directly from a snap neither as user nor as developer, it is an implementation detail of snap namespace handling and confinement.

ijohnson · October 11, 2018, 5:24pm

Actually, @zyga-snapd’s explanation here is the best version of this : Snapd 2.36, snap-confine logic walkthrough