Snap confinement determines the amount of access an application has to system resources, such as files, the network, peripherals and services. There are several levels of confinement.
Confinement ensures that individual pieces of software do not impact the robustness of the user’s system or cause issues with other applications. As a result, when the user runs a snap, the software it provides is isolated from the system to some degree, with a default that limits access to a strict minimum of features.
A snap’s confinement level controls the degree of isolation it has from the user’s system. Application developers or packagers can adjust the confinement level to specify in broad terms how much access to system resources an application needs, either for normal use or during development.
There are two levels of snap confinement for published snaps:
--classic
command line argument.An additional mode is useful during the development process:
--devmode
command line argument. Devmode snaps cannot be released to the stable channel, do not appear in search results, and do not automatically refresh.Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.
Use the snap
command to discover the confinement level for a snap:
$ snap info --verbose vlc
[...]
confinement: strict
devmode: false
[...]
To see which installed snaps are using classic confinement, look for classic under the Notes column in the output of snap list
:
$ snap list
Name Version Rev Tracking Publisher Notes
vlc 3.0.6 770 stable videolan✓ -
code 0dd516dd 5 stable vscode✓ classic
wormhole 0.11.2 112 stable snapcrafters -
Snaps with strict confinement must use interfaces to access resources on the user’s system, including those provided by other snaps.
Last updated 1 year, 3 months ago.