Snap confinement


#1

A snap’s confinement level is the degree of isolation it has from your system. There are three levels of snap confinement:

  • Strict
    Used by the majority of snaps. Strictly confined snaps run in complete isolation, and consequently, can not access your files, network, processes or any other system resource without requesting specific access via an interface (see below).
  • Classic
    Allows access to your system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument.
  • Devmode
    A special mode for snap creators and developers. A devmode snap runs as a strictly confined snap with full access to system resources, and produces debug output to identify unspecified interfaces. Installation requires the --devmode command line argument.

Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.

You can discover the confinement mode for any snap using the snap info --verbose command:

$ snap info --verbose vlc
[...]
  confinement:       strict
  devmode:           false
[...]

To see which installed snaps are using classic confinement, look for classic under the Notes column in the output of snap list:

$ snap list
Name          Version                  Rev   Tracking  Publisher         Notes
vlc           3.0.6                    770   stable    videolan✓         -
vscode        1.30.2-1546901646        75    stable    snapcrafters      classic
wormhole      0.11.2                   112   stable    snapcrafters      -

Interfaces and confinement

Each snap’s interface is carefully selected by a snap’s creator to provide specific access to a resource, according to a snap’s requirements. Common interfaces provide network access, desktop access and sound for example.

An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. The desktop interface is connected automatically, for instance, whereas the camera interface is not. See the Auto-connect column in Supported interfaces table for details on whether an interface automatically connects or not.

As with classic confinement, a snap’s publisher can request an assertion to automatically connect an otherwise non-auto-connecting interface. For example, the guvcview snap requested the camera interface be automatically-connected when the snap is installed.

If a snap is upgraded and includes a new assertion, the user will still need to connect the interface manually. Similarly, if an installed classic snap is upgraded to use strict confinement, its interfaces won’t be automatically configured.

ⓘ Overriding a strictly confined snap with --classic is not recommended. This undoes the confinement and causes unpredictable behaviour.

You can see which interfaces are connected and disconnected with the snap interfaces command (vlc:camera is disconnected in the following example):

$ snap interfaces vlc
Slot                   Plug
:desktop               ffmpeg,spotify,vlc
:home                  spotify,vlc
:network               spotify,vlc
:pulseaudio            ffmpeg,spotify,vlc
-                      vlc:camera

See Interface management for further details, including how to disconnect interfaces and make manual connections.


Subtle differences between devmode and classic confinement snaps
Adding OpenGL/GPU support to a snap
The docs roadmap
Snap Documentation
Releasing your app
Snapcraft overview
Snapcraft.yaml reference
Security concerns about user data in ~/snap/
Snapcraft top-level metadata
Snaps not running after installation
Call for testing: leagueoflegends
#2

Is there an example of this situation? I would expect snaps with strict confinement would behave exactly the same without the confinement if this holds I could simply tell the user to disable it when certain use cases that require the snap run unconfined are encountered.


#3

Also, I noticed that when confinement is set to classic the command wrappers generated by snapcraft don’t seem to set dynamic linker and executable search paths as it would when confinement is set to non-classic, is this a normal behavior?


#4

Yes, this is intended. The wrapper normally doesn’t have to concern itself with interaction with libraries in the outside world or interacting with programs that are launched from the snap that exist in the outside world. When a snap is built for classic confinement it needs to be very careful with how it loads libraries because starting an application that isn’t part of the snap would inherit things like LD_LIBRARY_PATH and cause segfaults everywhere (for example)!


Opening external applications (classic confinement)
The classic-launch Remote Part
Calling Go from a snap
#5

You mean starting/fork-exec a non-snap application from the snapped application, right?


#6

We should probably document that classic confinement snaps won’t be benefit from automatic updates.


#7

Classic snaps do auto-refresh; it’s devmode snaps that don’t. There is a situation where a snap goes from strict to classic where it won’t auto-refresh iirc (@popey can likely give more details).


#8

:man_facepalming: Thanks for the correction.