Demystifying Snap Confinement

by Alan Pope on 12 July 2018

Snaps introduce some new concepts to the Linux ecosystem which developers can take advantage of, and snap users need to appreciate. When installing a snap, it’s important to understand what parts of the system the application wants access to. It’s up to the user to decide to install (or not) a snap, and the confinement model empowers the user in the decision making process.

When a developer initially creates a snap, they define which ‘confinement model’ they want to use. There are currently three choices available to them, strict, classic and devmode. Once a snap is installed, the confinement model chosen by the developer is used. While users can override which model is used at snap install time, that’s generally not recommended.

Confinement models broadly define the access a snap has on an end-user computer. However they convey a more subtle meaning than just that. In addition to the high level confinement model, the developer can specify ‘interfaces‘ which may grant the snap access to additional hardware or software which is required for the application to run.

Strict confinement

Strict uses Linux kernel security features to ‘lock down’ the applications in the snap. A strictly confined application, which has no interfaces specified will have very limited access. It won’t be able to access the network, the users home directory, any audio subsystems & webcams, nor will it be able to display any graphical output via X or Wayland.

The developer can request to ‘poke holes’ in strict confinement by specifying interfaces as the snap is built. The list of available interfaces is not fixed, but grows as the snap developers and security teams understand requirements from new snap publishers. The developer may have to iterate on their snap, adding interfaces as needed until all the application access requirements are met.

During this iteration, the application may fail to start, it may look incorrect or otherwise misbehave. Once the snap is complete, strictly confined, with all necessary interfaces specified, it can be pushed to the ‘stable’ channel in the snap store.

Ultimately all snaps should strive to be ‘strict’ confinement using only the interfaces necessary for the application to function correctly, no more. Only snaps which use strict confinement can be released to the stable channel in the snap store with no human review.

Some interfaces are automatically connected upon install on end-user computers. Others are by-default not connected. The camera interface for example is not automatically connected on installation of a snap which specifies its use. However a developer may request a store assertion which changes the default for specific interfaces in their snap. Whatever the store defined defaults, the end-user still has control over the connected interfaces on their computer, and may disconnect

Devmode confinement

Devmode is a ‘debug’ mode used by developers as they iterate on the creation of their snap. Confinement and interfaces are new concepts to many developers, who are more used to having full system access on end-user systems. Often developers of new snaps find their application doesn’t function correctly under strict confinement because the application has expectations of system access which are not fulfilled when confined.

The snap publisher can specify devmode when the snap is built. Once published they can direct developers or their QA team to install it using the ‘–devmode’ switch. This will result in a snap which sees the world in the same way as a strictly confined snap. A devmode snap will however not be prevented from accessing resources, but will produce debug output in the system log. This is to help the developer to identify unspecified interfaces in their snap.

Devmode is a stepping-stone towards strict confinement. Developers should not encourage end-users to install snaps with the ‘–devmode’ switch. Devmode snaps cannot be published in the stable channel of the snap store. End users should not normally install snaps in devmode as this undoes any protections set out with confinement and interfaces.

Snaps which use devmode confinement cannot be published in the snap store stable channel, but may be published in the edge and beta channels. Where an interface doesn’t exist, the developer may request one by filing an appropriately detailed bug report.

Classic confinement

Classic is effectively un-confining the applications inside a snap. Applications which use classic confinement have the same full system access as traditionally packaged applications. Classic confinement is often used as a stop-gap measure to enable developers to publish applications which need more access than the current set of interfaces enable. Over time, as more interfaces are developed, snap publishers can migrate away from classic confinement to strict.

Classically confined snaps are reviewed by the snap store reviewers team before they can be published in the stable channel. Snaps which use classic confinement may be rejected if they don’t meet the requirements.

Users should not attempt to override a strictly confined snap to make it ‘classic’. This undoes the confinement and interfaces defined by the developer. In addition applications published as strict snaps may misbehave when installed with the ‘–classic’ switch.

Further information regarding interfaces and confinement can be found in the snapcraft documentation. We welcome feedback and discussion on the snapcraft forum.

Newsletter Signup

Related posts

Snapping PhotoNoteBook: Lessons from the kitchen table, or: How an Android app got converted to a Linux snap

This article was written by Alan Watson, with only small cosmetic changes from me. Having stumbled upon PhotoNoteBook, I asked Alan to write a guest blog post and share his project with the wider snap developer community. ===== The idea for PhotoNoteBook was seeded in 2018 after watching a Double-Glazing salesman measure my windows. He […]

Linux Application Summit 2022 – And there we were all in one place …

In the last two days of April, the small, picturesque town of Rovereto in northern Italy was the location of this year’s Linux Application Summit (LAS). After a virtual-only experience during the pandemic, the LAS returned with a physical presence, and so did we. Canonical has long recognized the value and importance of LAS as […]

Private shared memory support for snaps

At first glance, the title of this article may sound like an oxymoron. However, what it highlights is the introduction of a rather useful feature that will enable a far more robust and elegant handling of the /dev/shm implementation inside the snap sandbox. This will make snap development easier, more secure, and reduce potential bugs […]