Security corner: snap interface & snap connections
by Igor Ljubuncic on 15 September 2020
One of the defining features of snaps is their strong security. Snaps are designed to run isolated from the underlying system, with granular control and access to specific resources made possible through a mechanism of interfaces. Think of it as a virtual USB cable – an interface connects a plug with a slot.
Security and privacy conscious users will certainly be interested in knowing more about their snaps – what they can do and which resources they need at runtime. To that end, you can use the handy snap interface and snap connections commands.
The snap interface command allows you to see the list of all the different snaps that have been granted access (automatically or manually) to any of the supported snap interfaces. This way, at a glance, you can have an immediate mapping of the system access for your snaps. For instance:
snap interface home
summary: allows access to non-hidden files in the home directory
The output provides an explanation of what the interface does, and then the list of all the connected plugs for the home interface. Similarly, you can also see the list of all the interfaces that have at least one plug on your system.
desktop-legacy allows privileged access to desktop legacy methods
gsettings allows access to any gsettings item of current user
hardware-observe allows reading information about system hardware
home allows access to non-hidden files in the home directory
kernel-module-control allows insertion, removal and querying of kernel modules
log-observe allows read access to system logs
lxd-support allows operating as the LXD service
network allows access to the network
network-bind allows operating as a network service
network-control allows configuring networking and network namespaces
network-manager allows operating as the NetworkManager service
opengl allows access to OpenGL stack
From a security and/or privacy perspective, you can quickly inspect your system and determine whether there are any potential gaps in your baseline, or whether there are applications that have the ability to utilise resources that you may not necessarily want to allow. This can be quite useful if you have devices that are not necessarily used in an interactive way, like IoT gateways, allowing you to inspect and monitor their configuration.
It’s all about connections
It is worth mentioning that the information provided by the snap interface command is a transpose of the data you can obtain by running snap connections. This one-liner allows you to see all the connected snaps for each interface, or all the interfaces defined for each snap (whether they are connected or not).
Interface Plug Slot Notes
audio-playback cncra2yr:audio-playback :audio-playback -
audio-playback libreoffice:audio-playback :audio-playback -
audio-playback obs-studio:audio-playback :audio-playback -
audio-playback vlc:audio-playback :audio-playback -
audio-record obs-studio:audio-record :audio-record -
browser-support obs-studio:browser-support :browser-support -
browser-support spotify:browser-support :browser-support -
camera obs-studio:camera :camera -
content[gtk-3-themes] cncra2yr:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] cncra2yr:icon-themes gtk-common-themes:icon-themes -
content[wine-3-stable] cncra2yr:wine-3-stable wine-platform-3-stable:wine-3-stable -
content[wine-runtime] cncra2yr:wine-runtime wine-platform-runtime:wine-runtime -
content[gtk-3-themes] cncra:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] cncra:icon-themes gtk-common-themes:icon-themes -
content[wine-3-stable] cncra:wine-3-stable wine-platform-3-stable:wine-3-stable -
content[wine-runtime] cncra:wine-runtime wine-platform-runtime:wine-runtime -
content[gnome-3-28-1804] gimp:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -
content[gtk-3-themes] gimp:gtk-3-themes gtk-common-themes:gtk-3-themes
For instance, you may want to know what the kompoZer snaps requires:
snap connections kompozer
Interface Plug Slot Notes
content[gtk-2-engines] kompozer:gtk-2-engines gtk2-common-themes:gtk-2-engines -
content[gtk-2-themes] kompozer:gtk-2-themes gtk-common-themes:gtk-2-themes -
content[icon-themes] kompozer:icon-themes gtk-common-themes:icon-themes -
desktop kompozer:desktop :desktop -
desktop-legacy kompozer:desktop-legacy :desktop-legacy -
home kompozer:home :home -
removable-media kompozer:removable-media - -
unity7 kompozer:unity7 :unity7 -
x11 kompozer:x11 :x11 -
When it comes to system configuration and inspection, the output provided by this command allows you to focus on specific snaps rather than specific resources. It can also help you troubleshoot any potential problems with snaps at runtime.
A good example here would indeed be kompoZer. The snap has the removable-media interface defined, but for security reasons, it is not auto-connected. This means that if you try to reach and open files that reside on a USB drive, for example, kompoZer will not be able to access them. You can inspect the list of connections that this application uses, quickly determine that the removable-media plug is not connected, and then manually connect it on the command line with snap connect. If you are not comfortable with the command-line, the Ubuntu Software frontend allows you to toggle connections on and off using a simple applet.
The snap interface management functionality gives security-minded Linux users a high degree of granular control over their applications. In this case, unlike social media, you want as few connections for your snaps as possible, without compromising on the functionality. The snap interface and connections commands give you an instant overview of your snap ecosystem state, allowing you to quickly adjust and trim permissions as you go about your Linux adventure.
If you have any comments or suggestions, please join our forum for a discussion.