For snaps under strict confinement it is confined according to the snap recipe’s declared permissions(we call them interfaces, or plugs) and the store’s own policy(critical permissions are gatekeeped by the store staff to avoid abusing) , one can inspect the snap/manifest.yaml file in the snap to determine which permission the snaps requests, and which is actually granted(connected) by the system via the
snap connections command:
$ snap connections youtube-dl
Interface Plug Slot Notes
home youtube-dl:home :home -
network youtube-dl:network :network -
opengl youtube-dl:opengl :opengl -
removable-media youtube-dl:removable-media - -
For the example above the
removable-media interface is not connected, meaning that the snap application can’t access your external drives mounted under /mnt or /media. You may check out the entire list of supported security confinement interfaces (and their definition) at https://snapcraft.io/docs/supported-interfaces
For snaps you particularly not trust you may specifically disallow their access to certain resources by using the
snap disconnect _snap_name:_interface_name_ command. For example you may fully disallow the youtube-dl snap to access your files under the home directory by running
snap disconnect youtube-dl:home in the terminal.
Note that not every interfaces declared by the snap is auto-connected(granted by default), for sensitive interface connections the publisher must be vetted by the store staff before they are made auto-connectable. Refer Process for aliases, auto-connections and tracks for the actual process.
Reference: Interface management | Snapcraft documentation