Why does snapd run as root

snap services are controlled by systemd, confinement rules enforced by the kernel. What does snapd require root access specifically for, can someone please put some light on that ?

I ask this because we are working on a system, where security is of utmost importance and are trying to figure out why snapd is run as root. We are specifically concerned about issues like https://bugs.launchpad.net/snapd/+bug/1813365

One of the first things I can think of is talking to systemd to manage various aspects about the system, for example:

  • start/stop/enable systemd services
  • create/delete new systemd services for snap refreshes, snap installations and snap removals
  • read system logs for snap services and other services

Some other things which require root level access:

  • compiling / configure confinement options for snaps, i.e. AppArmor policies, udev rules, seccomp profiles, etc.
  • running snap hooks at various points such as the install, configure, {pre,post}-refresh hooks, etc.

Additionally some Ubuntu Core specific things that snapd does that require root level access:

  • manipulate bootloader environment to upgrade the kernel, bootloader, and other boot/gadget assets
  • reboot the system for upgrades
  • partition a device’s disk for Ubuntu Core 20 install mode
  • setup full disk encryption for devices enabled as such
  • configure other system tasks such as watchdog configuration, timezone, system journal configuration, etc.

Note that some other actions which require root access and required in general for snaps to work are not executed by snapd itself, but rather by snap-confine or snap-update-ns include actually loading the confinement policy for a snap into the kernel, modifying the snap’s mount namespace (or actually just creating it in the first place), and other things that are executed when you execute snap run or when a snap service first starts. These need to be done by root, but are not explicitly done by snapd the daemon.

There are probably more things I’m forgetting, perhaps others can help fill in.

Hope this helps.