Interfaces allow (or deny) access to a resource outside of a snap’s confinement and, generally, any snap can declare any supported interface.
However, there is a limited set of interfaces that require extra scrutiny when their plugs are included in a snap. This is due to their permissive nature and the control and impact they potentially have over a system.
These interfaces are called super-privileged, and snaps that include plugs for super-privileged interfaces require specific approval from the Store before they can be distributed and installed.
Super-privileged interfaces
| Interface | Description | Categories | Auto-connect |
|---|---|---|---|
| block-devices | access to disk block devices | Super privileged, Storage, Low level | no |
| classic-support | enable resource access to classic snap | Super privileged, Ubuntu Core | no |
| custom-device | permits access to a specific class of device | Super privileged, Ubuntu Core | no |
| desktop-launch | identify and launch desktop apps from other snaps | Super privileged, Desktop | no |
| dm-crypt | access encrypted storage devices | Super privileged, Ubuntu Core, Storage | no |
| docker | start, stop, or manage Docker containers | Super privileged, Containers | no |
| docker-support | allows operating as the Docker daemon | Super privileged, Containers | no |
| gpio-control | allows to export/unexport and control all GPIOs | Super privileged, GPIO | no |
| greengrass-support | allows operating as the Greengrass service | Super privileged, Edge, AWS, Discrete | no |
| kernel-module-control | insert, remove and query kernel modules | Super privileged, System, Kernel | no |
| kernel-module-load | load, or deny loading, specific kernel modules | Super privileged, System, Kernel | no |
| kubernetes-support | use functions essential for Kubernetes | Super privileged, Hypervisor, Discrete | no |
| lxd | provides access to the LXD socket | Super privileged, Container, Discrete | no |
| lxd-support | allows operating as the LXD service | Super privileged, Container, Discrete | no |
| microstack-support | multiple service access to the Microstack infrastructure | Super privileged, Container, Discrete | no |
| mount-control | mount and unmount transient and persistent filesystem mount points | Super privileged, Storage | no |
| multipass-support | multipass-support allows operating as the Multipass service | Super privileged, VM, Discrete | no |
| packagekit-control | control the PackageKit service | Super privileged, Packaging | no |
| personal-files | read or write files in the user’s home directory | Super privileged, Personal data, Attributes | no |
| posix-mq | enables inter-process communication (IPC) messages | Super privileged, IPC | no by default, yes with snaps from the same publisher |
| remoteproc | interact with the kernel’s Remote Processor Framework | Super privileged | no |
| sd-control | control SD cards on specific devices | Super privileged, Storage | no |
| shared-memory | enables two snaps to access the same shared memory | Super privileged, IPC | no |
| snap-refresh-control | permits bespoke snap refresh control | Super privileged, Packaging | no |
| snap-refresh-observe | enables the tracking of snap refreshes | Super privileged, Packaging | no |
| snapd-control | install or remove software | Super privileged, Packaging | no |
| steam-support | allows the Steam snap to access pressure-vessel containers | Super privileged, Discrete | no |
| system-files | read or write files in the system | Super privileged, Storage, Attributes | no |
| tee | permits access to the Trusted Execution Environment | Super privileged, Security, Ubuntu Core | no |
| uinput | allows write access to /dev/uinput | Super privileged, Hardware | no |