Snap confinement

popey · July 4, 2018, 9:17am

Snap confinement determines the amount of access an application has to system resources, such as files, the network, peripherals and services. There are several levels of confinement.

Confinement ensures that individual pieces of software do not impact the robustness of the user’s system or cause issues with other applications. As a result, when the user runs a snap, the software it provides is isolated from the system to some degree, with a default that limits access to a strict minimum of features.

Confinement levels

A snap’s confinement level controls the degree of isolation it has from the user’s system. Application developers or packagers can adjust the confinement level to specify in broad terms how much access to system resources an application needs, either for normal use or during development.

There are two levels of snap confinement for published snaps:

Strict Used by the majority of snaps. Strictly confined snaps run in complete isolation, up to a minimal access level that’s deemed always safe. Consequently, strictly confined snaps can not access files, network, processes or any other system resource without requesting specific access via an interface (see below).
Classic Allows access to the system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument.

An additional mode is useful during the development process:

Devmode A special mode for snap creators and developers. A devmode snap runs as a strictly confined snap with full access to system resources, and produces debug output to identify unspecified interfaces. Installation requires the --devmode command line argument. Devmode snaps cannot be released to the stable channel, do not appear in search results, and do not automatically refresh.

Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.

Getting the confinement level

Use the snap command to discover the confinement level for a snap:

$ snap info --verbose vlc
[...]
  confinement:       strict
  devmode:           false
[...]

To see which installed snaps are using classic confinement, look for classic under the Notes column in the output of snap list:

$ snap list
Name      Version   Rev   Tracking  Publisher       Notes
vlc       3.0.6     770   stable    videolan✓       -
code      0dd516dd  5     stable    vscode✓         classic
wormhole  0.11.2    112   stable    snapcrafters    -

Interfaces and confinement

Snaps with strict confinement must use interfaces to access resources on the user’s system, including those provided by other snaps.

Lin-Buo-Ren · September 8, 2018, 7:41am

Is there an example of this situation? I would expect snaps with strict confinement would behave exactly the same without the confinement if this holds I could simply tell the user to disable it when certain use cases that require the snap run unconfined are encountered.

Lin-Buo-Ren · September 8, 2018, 7:44am

Also, I noticed that when confinement is set to classic the command wrappers generated by snapcraft don’t seem to set dynamic linker and executable search paths as it would when confinement is set to non-classic, is this a normal behavior?

lucyllewy · September 9, 2018, 3:00pm

Yes, this is intended. The wrapper normally doesn’t have to concern itself with interaction with libraries in the outside world or interacting with programs that are launched from the snap that exist in the outside world. When a snap is built for classic confinement it needs to be very careful with how it loads libraries because starting an application that isn’t part of the snap would inherit things like LD_LIBRARY_PATH and cause segfaults everywhere (for example)!

Lin-Buo-Ren · September 9, 2018, 3:49pm

You mean starting/fork-exec a non-snap application from the snapped application, right?

Lin-Buo-Ren · December 18, 2018, 2:16am

~~We should probably document that classic confinement snaps won’t be benefit from automatic updates.~~

jdstrand · December 18, 2018, 1:57pm

Classic snaps do auto-refresh; it’s devmode snaps that don’t. There is a situation where a snap goes from strict to classic where it won’t auto-refresh iirc (@popey can likely give more details).

Lin-Buo-Ren · December 18, 2018, 2:29pm

Thanks for the correction.

evan · March 28, 2019, 9:57am

Documented that devmode snaps don’t benefit from automatic updates, as well as being prohibited from release in the stable channel and not present in search results.

timClicks · April 9, 2019, 9:59pm

“Upgraded” the snap list example to the official code snap published by Microsoft.

degville · April 10, 2019, 8:21am

Brilliant, thank you!

ijohnson · October 28, 2019, 8:26pm

This is no longer accurate, can we change this? I.e. see

$ sudo snap install hello-world --classic
Warning: flag --classic ignored for strictly confined snap hello-world

hello-world 6.4 from Canonical✓ installed

–classic only allows installing a classic snap, it is ignored for strict snaps.

degville · October 29, 2019, 10:43am

Thanks for flagging this, and you’re right. I’ve removed the admonition so it doesn’t cause confusion.

hurelhuyag · January 25, 2021, 11:06am

Hi, I’m recently installed snap lxd in one of my servers. Initially it was working fine. Now I needed to install gitlab-ce on my lxd container which requires sysctl access. But snap documentation saying I only can change confinement option at install time. Is there any way to change confinement without reinstalling it because other containers already running production websites.

rpjday · January 15, 2022, 8:35pm

There is no mention of the “–jailmode” option to “snap install”; how does that affect the subsequent confinement?