Security corner: snap interface & snap connections

by Igor Ljubuncic on 15 September 2020

One of the defining features of snaps is their strong security. Snaps are designed to run isolated from the underlying system, with granular control and access to specific resources made possible through a mechanism of interfaces. Think of it as a virtual USB cable – an interface connects a plug with a slot.

Security and privacy conscious users will certainly be interested in knowing more about their snaps – what they can do and which resources they need at runtime. To that end, you can use the handy snap interface and snap connections commands.

Aw, snap…interface!

The snap interface command allows you to see the list of all the different snaps that have been granted access (automatically or manually) to any of the supported snap interfaces. This way, at a glance, you can have an immediate mapping of the system access for your snaps. For instance:

snap interface home
name:    home
summary: allows access to non-hidden files in the home directory
plugs:
  - cncra
  - cncra2yr
  - cppcheck
  - doctl
  - gimp
  - heimer
  - icdiff
  - irfanview

The output provides an explanation of what the interface does, and then the list of all the connected plugs for the home interface. Similarly, you can also see the list of all the interfaces that have at least one plug on your system.

snap interface
...
desktop-legacy          allows privileged access to desktop legacy methods
gsettings               allows access to any gsettings item of current user
hardware-observe        allows reading information about system hardware
home                    allows access to non-hidden files in the home directory
kernel-module-control   allows insertion, removal and querying of kernel modules
log-observe             allows read access to system logs
lxd-support             allows operating as the LXD service
network                 allows access to the network
network-bind            allows operating as a network service
network-control         allows configuring networking and network namespaces
network-manager         allows operating as the NetworkManager service
opengl                  allows access to OpenGL stack
...

From a security and/or privacy perspective, you can quickly inspect your system and determine whether there are any potential gaps in your baseline, or whether there are applications that have the ability to utilise resources that you may not necessarily want to allow. This can be quite useful if you have devices that are not necessarily used in an interactive way, like IoT gateways, allowing you to inspect and monitor their configuration.

It’s all about connections

It is worth mentioning that the information provided by the snap interface command is a transpose of the data you can obtain by running snap connections. This one-liner allows you to see all the connected snaps for each interface, or all the interfaces defined for each snap (whether they are connected or not).

snap connections
Interface                                     Plug                                       Slot                                                                  Notes
audio-playback                                cncra2yr:audio-playback                    :audio-playback                                                       -
audio-playback                                libreoffice:audio-playback                 :audio-playback                                                       -
audio-playback                                obs-studio:audio-playback                  :audio-playback                                                       -
audio-playback                                vlc:audio-playback                         :audio-playback                                                       -
audio-record                                  obs-studio:audio-record                    :audio-record                                                         -
browser-support                               obs-studio:browser-support                 :browser-support                                                      -
browser-support                               spotify:browser-support                    :browser-support                                                      -
camera                                        obs-studio:camera                          :camera                                                               -
content[gtk-3-themes]                         cncra2yr:gtk-3-themes                      gtk-common-themes:gtk-3-themes                                        -
content[icon-themes]                          cncra2yr:icon-themes                       gtk-common-themes:icon-themes                                         -
content[wine-3-stable]                        cncra2yr:wine-3-stable                     wine-platform-3-stable:wine-3-stable                                  -
content[wine-runtime]                         cncra2yr:wine-runtime                      wine-platform-runtime:wine-runtime                                    -
content[gtk-3-themes]                         cncra:gtk-3-themes                         gtk-common-themes:gtk-3-themes                                        -
content[icon-themes]                          cncra:icon-themes                          gtk-common-themes:icon-themes                                         -
content[wine-3-stable]                        cncra:wine-3-stable                        wine-platform-3-stable:wine-3-stable                                  -
content[wine-runtime]                         cncra:wine-runtime                         wine-platform-runtime:wine-runtime                                    -
content[gnome-3-28-1804]                      gimp:gnome-3-28-1804                       gnome-3-28-1804:gnome-3-28-1804                                       -
content[gtk-3-themes]                         gimp:gtk-3-themes                          gtk-common-themes:gtk-3-themes 

For instance, you may want to know what the kompoZer snaps requires:

snap connections kompozer
Interface               Plug                      Slot                              Notes
content[gtk-2-engines]  kompozer:gtk-2-engines    gtk2-common-themes:gtk-2-engines  -
content[gtk-2-themes]   kompozer:gtk-2-themes     gtk-common-themes:gtk-2-themes    -
content[icon-themes]    kompozer:icon-themes      gtk-common-themes:icon-themes     -
desktop                 kompozer:desktop          :desktop                          -
desktop-legacy          kompozer:desktop-legacy   :desktop-legacy                   -
home                    kompozer:home             :home                             -
removable-media         kompozer:removable-media  -                                 -
unity7                  kompozer:unity7           :unity7                           -
x11                     kompozer:x11              :x11                              -

When it comes to system configuration and inspection, the output provided by this command allows you to focus on specific snaps rather than specific resources. It can also help you troubleshoot any potential problems with snaps at runtime.

A good example here would indeed be kompoZer. The snap has the removable-media interface defined, but for security reasons, it is not auto-connected. This means that if you try to reach and open files that reside on a USB drive, for example, kompoZer will not be able to access them. You can inspect the list of connections that this application uses, quickly determine that the removable-media plug is not connected, and then manually connect it on the command line with snap connect. If you are not comfortable with the command-line, the Ubuntu Software frontend allows you to toggle connections on and off using a simple applet.

Summary

The snap interface management functionality gives security-minded Linux users a high degree of granular control over their applications. In this case, unlike social media, you want as few connections for your snaps as possible, without compromising on the functionality. The snap interface and connections commands give you an instant overview of your snap ecosystem state, allowing you to quickly adjust and trim permissions as you go about your Linux adventure.

If you have any comments or suggestions, please join our forum for a discussion.

Photo by israel palacio on Unsplash.

Newsletter Signup

Related posts

Managing software in complex network environments: the Snap Store Proxy

As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management […]

Improving snap maintenance with automation

Co-written with Sergio Costas Rodríguez. As the number of snaps increases, the need for automation grows. Any automation to help us maintain a group of snaps is welcome and necessary for us to be able to scale. The solution detailed in this article has two main benefits: Any users of snaps that have adopted this […]

Snapcraft 8.0 and the respectable end of core18

‘E’s not pinin’! ‘E’s passed on! This base is no more! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! ‘E’s a stiff! Bereft of life, ‘e rests in peace! If you hadn’t nailed ‘im to the perch ‘e’d be pushing up the daisies! ‘Is software processes are now ‘istory! ‘E’s […]