Home / ubuntu / Questions / 1218972
Accepted
Parsa Mousavi
Asked: 2020-03-22 02:05:49 +0800 CST

Runtime environment of the Snap programs

  • 772

What is the technique used by snap to sandbox programs in Strict confinement ?
How much isolation does it provide ?
Does it make use of chroot , apparmor , etc. ?

software-installation snap

1 Answers

  1. Best Answer

    As stated here:

    Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.

    If a snap with Strict confinement wants to access other system resources such as network and camera , it should use Interfaces. As stated here :

    When a snap needs to access a resource outside of its own confinement, it uses an interface. Interfaces enable resources from one snap to be shared with another.

    Interfaces are commonly used to enable a snap to access OpenGL acceleration, sound playback or recording, your network and your $HOME directory. But which interfaces a snap requires, and provides, is very much dependent on the type of snap and its own requirements.

    To see which interfaces a snap is using, type snap connections "snapname"

    If you (in fact I) want to install and use a package in non-strict (classical) confinement , you should add the option --classic to the snap install command and if the classical version of the package is present , it should be installed.

    • 0