View details for connections

hg00 · July 31, 2025, 4:13pm

Hi, I found myself wondering about what files the firefox snap has access to, and struggled to get a good answer - did I miss something?

I can do snap connections firefox and see that it has some connections, including this one: personal-files firefox:dot-mozilla-firefox :personal-files -. From the docs for personal-files i can see that this interface allows access to dot files in my homedir, but im not sure what dotfiles, can it look in my .ssh? (No it cant: hitting file:///home/myuser/.ssh gives an access denied error with a matching apparmor deny, but I’d love a way to list all the files it can hit without having to do a negation test).

It looks like the details are stored in the snapcraft.yaml file - we can do a dance with curl and jq to eventually find some details ( curl 'https://api.snapcraft.io/v2/snaps/info/firefox?fields=snap-yaml' -H "Snap-Device-Series: 16" |tee /tmp/ffsnap.json | jq -r '."channel-map"[0]."snap-yaml"' )

...SNIP...
plugs:
  browser-sandbox:
    interface: browser-support
    allow-sandbox: true      
  dot-mozilla-firefox:
    interface: personal-files
    read:                                     
    - $HOME/.mozilla/firefox
  etc-firefox:
    interface: system-files
    read:           
    - /etc/firefox                             
  host-hunspell:  
    interface: mount-control
...SNIP...

Now we finally know that it has access to - $HOME/.mozilla/firefox. It looks like we can check in /snap/firefox/current/snap/snapcraft.yaml as well if no internet connection is available to fetch the yaml.

Thats way to complicated, lets just do a snap info firefox --verbose - nope, it shows details but not the ones we want.

Have I missed something? Is there a simple way to view a snap interface’s file access or details?

mborzecki1 · July 31, 2025, 4:43pm

Can you not ask snapd? see https://snapcraft.io/docs/snapd-rest-api#heading--connections or in terminal:

snap debug api /v2/connections

hg00 · July 31, 2025, 5:05pm

Thanks, thats a lot easier - I got to what i wanted with snap debug api '/v2/connections?snap=firefox&select&interface=personal-files'

snap: firefox (or other snap)
select: blank to only show connected
interface: limit to just the personal-files interface

I think it would be good to have a “no brainer” way to get this though eg “snap show-acccess-detilas”, or do you think its not needed?

mborzecki1 · July 31, 2025, 7:11pm

This is mostly covered by snap connections. Maybe some sort of --verbose switch could be useful when supplied with a specific snap name, e…g snap connections firefox --verbose. Although it’s not clear how plug/slot attributes could be presented. Slots for interfaces like content, tend to have lots and lots of attributes.