This page documents some of the internal debugging commands. The nature of such commands is that they may change or disappear from version to version. Still as they exist and can be used they are described below.
snap debug confinement
available since snapd 2.31.1
This command prints a single word, depending on how the system overall confinement support is assessed. The output is strict
if snapd has all the tools necessary to offer the best possible confinement for strictly confined snaps. In other case the output is partial
as not all of the features that could be used are available.
snap debug sandbox-features [–required FEATURE…]
available since snapd 2.33
This command prints detailed information about sandboxing technologies available to snapd. The output is presented as a set of lists, one for each security backend available in snapd. The elements of the lists are simple tags that identify the presence of a given feature.
The features have two sources, those that are directly advertised by the kernel are prefixed with kernel:
, all other features are coming directly from snapd as a higher-level construct built from kernel features.
The command can also take a list of required features and acts as a simple test for scripting, returning the response in the exit code.
The tags are described here for convenience:
apparmor
-
kernel:caps
apparmor can mediate access to kernel capabilities -
kernel:dbus
apparmor can mediate access to dbus method calls and signals -
kernel:domain
apparmor can set and switch security labels -
kernel:file
apparmor can mediate access to files and directories -
kernel:mount
apparmor can mediate mounting and unmounting -
kernel:namespaces
apparmor supports apparmor-specific namespacing -
kernel:network
apparmor can mediate family of network sockets used -
kernel:policy
apparmor policy can be inspected from userspace -
kernel:ptrace
apparmor can mediate ptrace -
kernel:query
apparmor supports label data queries -
kernel:rlimit
apparmor can mediate resource limits -
kernel:signal
apparmor can mediate UNIX signals
dbus
-
mediated-bus-access
snapd can generate DBus XML bus rules that control bus ownership and message access control list
kmod
-
mediated-modprobe
snapd can load kernel modules on behalf of snaps
seccomp
-
bpf-argument-filtering
snapd can use BPF programs to filter system calls by argument values -
kernel:allow
seccomp BPF program can allow a system call to execute -
kernel:errno
seccomp BPF program can set an errno code -
kernel:kill
seccomp BPF program can kill a process or thread -
kernel:log
seccomp BPF program can log the use of a system call -
kernel:trace
seccomp BPF program can notify a tracer program of a system call -
kernel:trap
seccomp BPF program can send SIGSYS and not execute a system call
mount
-
freezer-cgroup-v1
snapd puts all snap processes into a v1 hierarchy of the freezer cgroup and freezes processes for mount namespace modifications -
layouts-beta
layouts are available as an experimental feature -
mount-namespace
snapd puts all non-classically confined processes into a distinct mount namespace -
per-snap-persistency
snapd persists the per-snap mount namespace across process executions -
per-snap-profiles
snapd allows configuring the per-snap mount namespace with a fstab-like mount profile -
per-snap-updates
snapd can update the per-snap mount namespace for running applications -
per-snap-user-profiles
snapd allows configuring the per-snap, per-user mount namespace with a fstab-like mount profile -
stale-base-invalidation
snapd automatically invalidates preserved mount namespace when the base snap revision changes
udev
-
device-cgroup-v1
snapd puts all snap processes into a v1 hierarchy of the device cgroup and uses it to control access to character and block devices -
tagging
snapd uses udev rules to add new devices to existing device cgroups
snap debug get-base-declaration
available since snapd 2.23.6
This command prints the so-called base declaration that is stored in snapd. The base declaration is a assertion that governs base policy for who can declare, connect or auto-connect any plug and slot on the system. This assertion is built into snapd but the decision taken based on it can also be influenced and overridden by other assertions, as the per-snap snap-declaration
assertions which can alter the interface policy for a specific snap, e.g. by granting it access to an interface that is otherwise off-limits.