Supported interfaces


#1

Interfaces enable resources from one snap to be shared with another. For general usage details, see Interface management.

The table below lists currently supported interfaces, with links to further details for each interface.

The following column names are used:

  • Interface name is the syntactical interface name, as used by snaps.

  • Auto-connect indicates that the interface will be connected by default when the snap is first
    installed, requiring no further user action.

  • Transitional interfaces are used by trusted snaps to access traditional Linux desktop environments that were not designed to integrate with snap isolation. As such, they will become deprecated as replacement or modified technologies that enforce strong application isolation become available.

Interface name Description Auto-connect
account-control add/remove user accounts or change passwords no
accounts-service allows communication with the accounts service no
alsa play or record sound no
autopilot-introspection be controlled by Autopilot software no
avahi-control advertise services over the local network no
avahi-observe detect services and devices over the local network no
bluetooth-control access Bluetooth hardware directly no
bluez use Bluetooth devices no
bool-file allows access to specific file with bool semantics no
broadcom-asic-control control Broadcom network switches no
browser-support use functions essential for Web browsers no when allow-sandbox: true, yes otherwise
calendar-services allows communication with Evolution Data Server calendar no
camera use your camera or webcam no
can-bus allows access to the CAN bus no
classic-support enable resource access to classic snap no
content access resources across snaps yes for snaps from same publisher, no otherwise
core-support deprecated since snap 2.34 no
cpu-control set certain CPU values no
cups-control print documents no
daemon-notify allows sending daemon status changes to service manager no
dbus allow snaps to communicate over D-Bus no
dcdbas-control shut down or restart Dell devices no
desktop provides access to common desktop elements yes
desktop-legacy enables the use of legacy desktop methods(including input method and accessibility services) yes
device-buttons use any device-buttons no
docker start, stop, or manage Docker containers no
docker-support no
dummy allows testing without additional permissions no
dvb allows access to all DVB devices and APIs no
firewall-control configure a network firewall no
framebuffer access to universal framebuffer devices no
fuse-support enables access to the FUSE filesystems no
fwupd allows operating as the fwupd service no
gpg-keys read GPG user configuration and keys no
gpg-public-keys read GPG non-sensitive configuration and public keys no
gpio access specific GPIO pins no
gpio-memory-control allows write access to all GPIO memory no
greengrass-support allows operating as the Greengrass service no
gsettings provides access to any GSettings item for current user yes
hardware-observe access hardware information no
hardware-random-control provide entropy to hardware random number generator no
hardware-random-observe use hardware-generated random numbers no
hidraw access hidraw devices no
home access non-hidden files in the home directory yes on classic (traditional distributions), no otherwise
hostname-control allows configuring the system hostname no
i2c access i²c devices no
iio access IIO devices no
io-ports-control allows access to all I/O ports no
joystick use any connected joystick no
juju-client-observe read the Juju client configuration no
kernel-module-control insert, remove and query kernel modules no
kubernetes-support use functions essential for Kubernetes no
kvm allows access to the kvm device no
libvirt provides access to the libvirt service no
locale-control change system language and region settings no
location-control allows operating as the location service no
location-observe access your location no
log-observe read system logs no
lxd provides access to the LXD socket no
lxd-support allows operating as the LXD service no
maliit use an on-screen keyboard no
media-hub access snaps providing the media-hub interface yes
mir enables access to the Mir display service yes
modem-manager use and configure modems no
mount-observe read mount table and quota information no
mpris control music and video players no
netlink-audit allows access to kernel audit system through Netlink no
netlink-connector communicate through the kernel Netlink connector no
network enables network access yes
network-bind operate as a network service yes
network-control change low-level network settings no
network-manager configure and observe networking via NetworkManager no
network-observe query network status information no
network-setup-control change network settings via Netplan no
network-setup-observe read network settings no
network-status access the NetworkingStatus service yes
ofono allows operating as the oFono service no
online-accounts-service access to the Online Accounts service yes
opengl access OpenGL hardware yes
openvswitch control Open vSwitch hardware no
openvswitch-support enables kernel support for Open vSwitch no
optical-drive read/write access to CD/DVD drives yes, unless drive can write
password-manager-service read, add, change, or remove saved passwords no
physical-memory-control read and write memory used by any process no
physical-memory-observe read memory used by any process no
ppp access to configure and observe PPP networking no
process-control pause or end any process on the system no
pulseaudio play and record sound yes
raw-usb access USB hardware directly no
removable-media read/write files on removable storage devices no
screen-inhibit-control prevent screen sleep, lock and screensaver yes
serial-port access serial port hardware no
shutdown restart or power off the device no
snapd-control install or remove software no
spi access specific SPI devices no
ssh-keys access SSH private and public keys no
ssh-public-keys access SSH public keys no
storage-framework-service operate as, or interact with, the Storage Framework no
system-observe read process and system information no
system-trace monitor or control any running program no
thumbnailer-service create thumbnail images from local media files no
time-control change the date and time no
timeserver-control change time server settings no
timezone-control change the time zone no
tpm allows access to the Trusted Platform Module device no
ubuntu-download-manager use the Ubuntu Download Manager yes
udisks2 access the UDisks2 service no
uhid create kernel UID devices from user-space no
unity7 access legacy desktop resources from Unity7 yes
unity8 share data with other Unity 8 apps yes
unity8-calendar read/change shared calendar events in Ubuntu Unity 8 no
unity8-contacts read/change shared contacts in Ubuntu Unity 8 no
upower-observe access battery level and power usage yes
wayland access compositors providing the Wayland protocol yes
x11 monitor mouse/keyboard input and graphics output of other apps yes

The removable-media interface
The account-control interface
The desktop interface
The network interface
The serial-port interface
The home interface
The mount-observe interface
The x11 interface
The raw-usb interface
The browser-support interface
The i2c interface
The device-buttons interface
The system-observe interface
The storage-framework-service interface
The process-control interface
The can-bus interface
The alsa interface
The bluez interface
The password-manager-service interface
The juju-client-observe interface
The locale-control interface
The location-observe interface
The media-hub interface
The ubuntu-download-manager interface
The camera interface
The classic-support interface
The wayland interface
The bool-file interface
The shutdown interface
The gsettings interface
The tpm interface
The accounts-service interface
The unity8 interface
The udisks2 interface
The snapd-control interface
The screen-inhibit-control interface
The pulseaudio interface
The openvswitch-support interface
The openvswitch interface
The network-setup-control interface
The network-manager interface
The network-control interface
The network-bind interface
The kvm interface
The fwupd interface
The io-ports-control interface
The gpio interface
The gpg-public-keys interface
The fuse-support interface
The docker interface
The firewall-control interface
The dvb interface
The dummy interface
The daemon-notify interface
The desktop-legacy interface
The cups-control interface
The bluetooth-control interface
The avahi-control interface
The libvirt interface
The avahi-observe interface
The snap format
The kubernetes-support interface
The kernel-module-control interface
The opengl interface
The joystick interface
The autopilot-introspection interface
The iio interface
The optical-drive interface
The hostname-control interface
The physical-memory-control interface
The hidraw interface
The hardware-random-observe interface
The hardware-random-control interface
The hardware-observe interface
The physical-memory-observe interface
The greengrass-support interface
The gpio-memory-control interface
Problem running example of locationd
Snap Documentation
The gpg-keys interface
The uhid interface
The unity8-calendar interface
The framebuffer interface
The unity8-contacts interface
The upower-observe interface
List and table presentation ideas
The docker-support interface
Interface management
The ppp interface
The calendar-service interface
The spi interface
The unity7 interface
The ssh-keys interface
The ssh-public-keys interface
The system-trace interface
About findfs: unable to resolve 'LABEL=writable'
The dcdbas-control interface
The cpu-control interface
Need some help with Python packaging
The core-support interface
The thumbnailer-service interface
The time-control interface
The timeserver-control interface
The broadcom-asic-control interface
The timezone-control interface
Snapcraft top-level metadata
The network-observe interface
The netlink-connector interface
The netlink-audit interface
The mpris interface
The network-setup-observe interface
The modem-manager interface
The mir interface
The network-status interface
The maliit interface
The lxd-support interface
The lxd interface
The log-observe interface
The ofono interface
The location-control interface
The online-accounts-service interface
#2

I really don’t like the nomenclature of calling an interface “transitional” when there is no clear transition occurring. Can we explain for each transitional interface what the transition is and why it is happening, please?

For example why is x11 in a transition? what is it transitioning to? where is it transitioning from? is it going to stop working in some future time?

If the transitional interfaces aren’t actually changing then I posit that “transitional” is the wrong name. Please choose a better one that is actually indicative of what the state is.


#3

The old page (is it gone now? /me can’t find it) used to list when an interface was introduced. This isn’t usually useful except the case where it is committed to trunk but not yet in stable and you want to say when it will be available. Should we no longer worry about when an interface was introduced? If we should, should it be in the interface-specific page?


#4

I think you’re right about the use of transitional, and it’s also a waste of space here when so few interfaces require it to be flagged - I’ll remove it from the table. We can hopefully better describe the ramifications of a specific interface being transitional on a specific interface’s own page.


#5

I was going to port this information to the interface-specific pages, but it might be a good idea to add this to the table if you think it’s going to be useful?


#6

An additional description/summary column would be helpful, which gives packagers a clue what an interface does without dive into its page.


#7

Shouldn’t every user uses the latest release of snapd? A “(not yet released)” notice in the interface name field should suffice…?


#8

I think this is a good idea. It may take some work getting something small enough to not make the table confusing, but I’ll work on it as I go through the separate pages for each interface.


#9

The interface specific page is fine IMO.


#10

FYI, @mpt went through this exercise with the descriptions that gnome-software exposes.


#11

With help from @jdstrand and others, I got as far as user-facing descriptions for 127 of 208 interfaces.

(That work is on hiatus until anyone has time to implement the runtime permission prompts or the post-install permissions UI in which those descriptions would appear.)


#12

Thank you! That’s going to be really useful.


#13

An interface page template would be helpful. Also, the underlying topics should all be converted into wiki.


#14

The template is currently very simple:

Interface name: foo

Auto-connect: no

Attributes: if any

Transitional: only if yes

Description:

Requires snap version foo.bar+.

ⓘ This is a snap interface. See Interface management and Supported interfaces for further details on how interfaces are used.

And yes, I’m making them wiki when I remember to!


#15

A Linux Kconfig style of connection hint is also helpful:

If <condition>, then connect; if in doubt, don't connect etc.

UPDATE: Refer the The unity7 interface topic for a reference design.


#16

We could of course add more insight as to why it is transitional, but I think the word is accurate-- it is transitional because the interface is known to have problems and while we don’t know how to solve them now in the general case, we know it isn’t what we want and in the future we want something better.

For the specific case of x11, it is transitional because the X protocol has many security issues. The future is wayland, but it isn’t ready yet so X isn’t going away anytime soon. Will x11 ever be completely removed? Doubtful (at least not for many years), but we would probably not auto-connect at some point (but that point is not defined).


#17

Here is an article with some insights: mjg59 | Circumventing Ubuntu Snap confinement

Warning: Potentially offensive/biased opinion included.


#18

What I’m missing on this page is an explanation of how to make your snap use these interfaces. (adding the interface as a plug to your app)


#19

“monitor mouse/keyboard input and graphics output of other apps” does connecting to X11 interface allows to monitor other apps inputs or disconnecting does? i’m confused because another place in documents says you “should” allow this if it is a GUI app but when i disconnect all GUI apps works also WTF?

I disconnected all of them and my machine become lightweight so i guess answer is there.


#20

@Ebuzer - on any system, connected to the X server allows the application to eavedrop and inject input events. This is a flaw in the design of the X window system. On a system that supports full confinement, when the x11 snapd interface is connected, applications are allowed to connect to the X server and when the interface is disconnected, the applications cannot. The doc for desktop applications still recommends that snaps plug the x11 interface because far too many people still rely on X (though a lot of progress has been made with wayland; someday we’ll be able to deprecate x11, but that won’t be for a while still).

On the system where you disconnected the interface and it still worked, it may have been a system that doesn’t support full strict mode, it was a devmode snap, it was using wayland or mir, or possibly was running and already had the socket open to the X server after the snapd interface was disconnected (though I would expect that application to fail at some point).