Snap confinement


A snap’s confinement level is the degree of isolation it has from your system. There are three levels of snap confinement:

  • Strict
    Used by the majority of snaps. Strictly confined snaps run in complete isolation, and consequently, can not access your files, network, processes or any other system resource without requesting specific access via an interface (see below).
  • Classic
    Allows access to your system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument.
  • Devmode
    A special mode for snap creators and developers. A devmode snap runs as a strictly confined snap with full access to system resources, and produces debug output to identify unspecified interfaces. Installation requires the --devmode command line argument. Devmode snaps cannot be released to the stable channel, do not appear in search results, and do not automatically refresh.

Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.

You can discover the confinement mode for any snap using the snap info --verbose command:

$ snap info --verbose vlc
  confinement:       strict
  devmode:           false

To see which installed snaps are using classic confinement, look for classic under the Notes column in the output of snap list:

$ snap list
Name      Version   Rev   Tracking  Publisher       Notes
vlc       3.0.6     770   stable    videolan✓       -
code      0dd516dd  5     stable    vscode✓         classic
wormhole  0.11.2    112   stable    snapcrafters    -

Interfaces and confinement

Each snap’s interface is carefully selected by a snap’s creator to provide specific access to a resource, according to a snap’s requirements. Common interfaces provide network access, desktop access and sound for example.

An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. The desktop interface is connected automatically, for instance, whereas the camera interface is not. See the Auto-connect column in Supported interfaces table for details on whether an interface automatically connects or not.

As with classic confinement, a snap’s publisher can request an assertion to automatically connect an otherwise non-auto-connecting interface. For example, the guvcview snap requested the camera interface be automatically-connected when the snap is installed.

If a snap is upgraded and includes a new assertion, the user will still need to connect the interface manually. Similarly, if an installed classic snap is upgraded to use strict confinement, its interfaces won’t be automatically configured.

ⓘ Overriding a strictly confined snap with --classic is not recommended. This undoes the confinement and causes unpredictable behaviour.

You can see which interfaces are connected and disconnected with the snap connections command (vlc:camera is disconnected in the following example):

snap connections vlc
Interface         Plug                  Slot               Notes
camera            vlc:camera            -                  -
desktop           vlc:desktop           :desktop           -
desktop-legacy    vlc:desktop-legacy    :desktop-legacy    -
home              vlc:home              :home              -
mount-observe     vlc:mount-observe     -                  -

See Interface management for further details, including how to disconnect interfaces and make manual connections.

Subtle differences between devmode and classic confinement snaps
Call for testing: leagueoflegends
Adding OpenGL/GPU support to a snap
The docs roadmap
Snapcraft.yaml reference
Snap Documentation
Releasing your app
Snapcraft overview
Process for reviewing classic confinement snaps
Security concerns about user data in ~/snap/
Snapcraft top-level metadata
Snaps not running after installation

Is there an example of this situation? I would expect snaps with strict confinement would behave exactly the same without the confinement if this holds I could simply tell the user to disable it when certain use cases that require the snap run unconfined are encountered.


Also, I noticed that when confinement is set to classic the command wrappers generated by snapcraft don’t seem to set dynamic linker and executable search paths as it would when confinement is set to non-classic, is this a normal behavior?


Yes, this is intended. The wrapper normally doesn’t have to concern itself with interaction with libraries in the outside world or interacting with programs that are launched from the snap that exist in the outside world. When a snap is built for classic confinement it needs to be very careful with how it loads libraries because starting an application that isn’t part of the snap would inherit things like LD_LIBRARY_PATH and cause segfaults everywhere (for example)!

Opening external applications (classic confinement)
The classic-launch stage snap
The classic-launch Remote Part
Calling Go from a snap

You mean starting/fork-exec a non-snap application from the snapped application, right?


We should probably document that classic confinement snaps won’t be benefit from automatic updates.


Classic snaps do auto-refresh; it’s devmode snaps that don’t. There is a situation where a snap goes from strict to classic where it won’t auto-refresh iirc (@popey can likely give more details).


:man_facepalming: Thanks for the correction.


Documented that devmode snaps don’t benefit from automatic updates, as well as being prohibited from release in the stable channel and not present in search results.


“Upgraded” the snap list example to the official code snap published by Microsoft.


Brilliant, thank you!