Security corner: snap interface & snap connections

by Igor Ljubuncic on 15 September 2020

One of the defining features of snaps is their strong security. Snaps are designed to run isolated from the underlying system, with granular control and access to specific resources made possible through a mechanism of interfaces. Think of it as a virtual USB cable – an interface connects a plug with a slot.

Security and privacy conscious users will certainly be interested in knowing more about their snaps – what they can do and which resources they need at runtime. To that end, you can use the handy snap interface and snap connections commands.

Aw, snap…interface!

The snap interface command allows you to see the list of all the different snaps that have been granted access (automatically or manually) to any of the supported snap interfaces. This way, at a glance, you can have an immediate mapping of the system access for your snaps. For instance:

snap interface home
name:    home
summary: allows access to non-hidden files in the home directory
  - cncra
  - cncra2yr
  - cppcheck
  - doctl
  - gimp
  - heimer
  - icdiff
  - irfanview

The output provides an explanation of what the interface does, and then the list of all the connected plugs for the home interface. Similarly, you can also see the list of all the interfaces that have at least one plug on your system.

snap interface
desktop-legacy          allows privileged access to desktop legacy methods
gsettings               allows access to any gsettings item of current user
hardware-observe        allows reading information about system hardware
home                    allows access to non-hidden files in the home directory
kernel-module-control   allows insertion, removal and querying of kernel modules
log-observe             allows read access to system logs
lxd-support             allows operating as the LXD service
network                 allows access to the network
network-bind            allows operating as a network service
network-control         allows configuring networking and network namespaces
network-manager         allows operating as the NetworkManager service
opengl                  allows access to OpenGL stack

From a security and/or privacy perspective, you can quickly inspect your system and determine whether there are any potential gaps in your baseline, or whether there are applications that have the ability to utilise resources that you may not necessarily want to allow. This can be quite useful if you have devices that are not necessarily used in an interactive way, like IoT gateways, allowing you to inspect and monitor their configuration.

It’s all about connections

It is worth mentioning that the information provided by the snap interface command is a transpose of the data you can obtain by running snap connections. This one-liner allows you to see all the connected snaps for each interface, or all the interfaces defined for each snap (whether they are connected or not).

snap connections
Interface                                     Plug                                       Slot                                                                  Notes
audio-playback                                cncra2yr:audio-playback                    :audio-playback                                                       -
audio-playback                                libreoffice:audio-playback                 :audio-playback                                                       -
audio-playback                                obs-studio:audio-playback                  :audio-playback                                                       -
audio-playback                                vlc:audio-playback                         :audio-playback                                                       -
audio-record                                  obs-studio:audio-record                    :audio-record                                                         -
browser-support                               obs-studio:browser-support                 :browser-support                                                      -
browser-support                               spotify:browser-support                    :browser-support                                                      -
camera                                        obs-studio:camera                          :camera                                                               -
content[gtk-3-themes]                         cncra2yr:gtk-3-themes                      gtk-common-themes:gtk-3-themes                                        -
content[icon-themes]                          cncra2yr:icon-themes                       gtk-common-themes:icon-themes                                         -
content[wine-3-stable]                        cncra2yr:wine-3-stable                     wine-platform-3-stable:wine-3-stable                                  -
content[wine-runtime]                         cncra2yr:wine-runtime                      wine-platform-runtime:wine-runtime                                    -
content[gtk-3-themes]                         cncra:gtk-3-themes                         gtk-common-themes:gtk-3-themes                                        -
content[icon-themes]                          cncra:icon-themes                          gtk-common-themes:icon-themes                                         -
content[wine-3-stable]                        cncra:wine-3-stable                        wine-platform-3-stable:wine-3-stable                                  -
content[wine-runtime]                         cncra:wine-runtime                         wine-platform-runtime:wine-runtime                                    -
content[gnome-3-28-1804]                      gimp:gnome-3-28-1804                       gnome-3-28-1804:gnome-3-28-1804                                       -
content[gtk-3-themes]                         gimp:gtk-3-themes                          gtk-common-themes:gtk-3-themes 

For instance, you may want to know what the kompoZer snaps requires:

snap connections kompozer
Interface               Plug                      Slot                              Notes
content[gtk-2-engines]  kompozer:gtk-2-engines    gtk2-common-themes:gtk-2-engines  -
content[gtk-2-themes]   kompozer:gtk-2-themes     gtk-common-themes:gtk-2-themes    -
content[icon-themes]    kompozer:icon-themes      gtk-common-themes:icon-themes     -
desktop                 kompozer:desktop          :desktop                          -
desktop-legacy          kompozer:desktop-legacy   :desktop-legacy                   -
home                    kompozer:home             :home                             -
removable-media         kompozer:removable-media  -                                 -
unity7                  kompozer:unity7           :unity7                           -
x11                     kompozer:x11              :x11                              -

When it comes to system configuration and inspection, the output provided by this command allows you to focus on specific snaps rather than specific resources. It can also help you troubleshoot any potential problems with snaps at runtime.

A good example here would indeed be kompoZer. The snap has the removable-media interface defined, but for security reasons, it is not auto-connected. This means that if you try to reach and open files that reside on a USB drive, for example, kompoZer will not be able to access them. You can inspect the list of connections that this application uses, quickly determine that the removable-media plug is not connected, and then manually connect it on the command line with snap connect. If you are not comfortable with the command-line, the Ubuntu Software frontend allows you to toggle connections on and off using a simple applet.


The snap interface management functionality gives security-minded Linux users a high degree of granular control over their applications. In this case, unlike social media, you want as few connections for your snaps as possible, without compromising on the functionality. The snap interface and connections commands give you an instant overview of your snap ecosystem state, allowing you to quickly adjust and trim permissions as you go about your Linux adventure.

If you have any comments or suggestions, please join our forum for a discussion.

Photo by israel palacio on Unsplash.

Newsletter Signup

Related posts

The magic behind snap interfaces

Snaps are confined, self-contained applications, designed with portability and security in mind. By default, strictly confined snaps run in isolation, with minimal access to system resources. For instance, they cannot access home, network, audio, or display. To make their snaps usable, developers and publishers can declare a set of interf […]

How to make snaps faster

A great user experience is (or at least, should be) an integral part of any software that involves user interaction. On the desktop, this starts with the application launch, and continues through the session. The overall time to completion of tasks as well as interactive responsiveness are a core element in this journey. If you’re […]

What is an IoT marketplace?

The Internet of Things (IoT) ecosystem is expanding at a rapid rate, with the number of devices growing every year. The increase in physical hardware being manufactured multiplies the amount of software needed to perform various functions on new platforms. There are a range of IoT use cases, including voice-controlling the lights in your […]