New to snap, Need help regarding sandbox


#1

Hello… I’ve just started using snap for opera on Manjaro(KDE). Till now no problem,whatsoever.
But I would just like to know how I could edit the snapd sandbox so that opera can’t access anything from my Home except downloads & snap. I’m accustomed with firejail but don’t know whether snapd supports whitelist-blacklist rules.

Thanks


#2

Hello

Snapd has the concept of “snap interfaces”. Those are documented https://docs.snapcraft.io/interface-management/6154

In this particular case opera is very likely to contain a home plug that can be connected to the system home slot with a command snap connect opera:home (the slot can be omitted in this case). This will grant opera access to all the non-dot files in your home directory.

The case of editing permissions associated with interface connections is far more complex so I will refrain from going there. It will most certainly require your own build of snapd so that rules added to your system will not conflict with the evolution of rules that constitute the rest of the snapd permissions.


#3

Thanks. & it did what I wanted… but is there any way to allow just download or any other specific directory in home after disconnecting home slot from opera?


#4

Apps can write to per-snap, per-user directory. This directory is conveyed to the application as $SNAP_USER_DATA, also as $HOME, for convenience. This directory is ~/snap/$SNAP_NAME/$SNAP_REVISION. You can easily get there as a user and apps will easily write there by deriving paths from $HOME