Is there a design document for this? I’m thinking about:
- can
snap login/polkit be bypassed? - what limits (perhaps internal, perhaps snapd-enforced) are in place on what the snap is allowed to install?
- if there are limits, how are they enforced?
- how can the unconfined non-root user influence the snap if the user is in a privileged group (eg, the first user on the system)?
- how can the unconfined non-root user influence the snap if the user is not in a privileged group (eg, non-admin users on the system (ie, a child’s account))?
- how can other snaps influence this snap? Does it export a content interface? A DBus service?
- how can other snaps influence this snap on systems with partial or forcedevmode confinement (eg, Arch or Fedora, respectively)?
There may be other questions after design review