Home / ubuntu / Questions / 1276075
Accepted
Display name
Asked: 2020-09-19 07:31:29 +0800 CST

Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage

  • 772

I can open the default chromium snap on my Ubuntu 20.04 computer. I then right click on the defualt homepage, click Save As, navigate to my ~/home directory, and can proceed to save the .html file anywhere in my home directory.

Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage? If the chromium snap can read/write to my home directory, the chromium program, in essence, has the keys to my castle.

The average person (e.g. me) is most familiar with smartphone environments and likely understands sandboxing as meaning something like:

An app or program shall not have access to any system resource without obtaining explicit permission for said resource, by the system owner.

This is the Android and iOS paradigm I'm used to. And looking at Ubuntu documentation it seems they claim this, when in reality it's not true:

... each package is sandboxed so that it runs in a constrained environment, isolated from the rest of the system...

Or, am I missing something here?

security home-directory permissions chromium snap

3 Answers

  1. Best Answer

    The chromium snap package is properly confined (no classic confinement). The snap package developers for chromium picked and chose the appropriate connections so that the package is nicely confined.

    To see the list of connections, run the following. You can use that the snap package has access to your home directory, an access right that is enabled on request on the Snap Store, on a per-case basis.

    $ snap connections chromium
Interface                 Plug                               Slot                            Notes
audio-playback            chromium:audio-playback            :audio-playback                 -
audio-record              chromium:audio-record              :audio-record                   -
bluez                     chromium:bluez                     :bluez                          -
browser-support           chromium:browser-sandbox           :browser-support                -
camera                    chromium:camera                    :camera                         -
content[gtk-3-themes]     chromium:gtk-3-themes              gtk-common-themes:gtk-3-themes  -
content[icon-themes]      chromium:icon-themes               gtk-common-themes:icon-themes   -
content[sound-themes]     chromium:sound-themes              gtk-common-themes:sound-themes  -
cups-control              chromium:cups-control              :cups-control                   -
desktop                   chromium:desktop                   :desktop                        -
gsettings                 chromium:gsettings                 :gsettings                      -
home                      chromium:home                      :home                           -
joystick                  chromium:joystick                  :joystick                       -
mount-observe             chromium:mount-observe             -                               -
mpris                     -                                  chromium:mpris                  -
network                   chromium:network                   :network                        -
network-bind              chromium:network-bind              :network-bind                   -
network-manager           chromium:network-manager           -                               -
opengl                    chromium:opengl                    :opengl                         -
password-manager-service  chromium:password-manager-service  -                               -
personal-files            chromium:chromium-config           :personal-files                 -
pulseaudio                chromium:pulseaudio                -                               -
raw-usb                   chromium:raw-usb                   -                               -
removable-media           chromium:removable-media           :removable-media                -
screen-inhibit-control    chromium:screen-inhibit-control    :screen-inhibit-control         -
u2f-devices               chromium:u2f-devices               :u2f-devices                    -
unity7                    chromium:unity7                    :unity7                         -
upower-observe            chromium:upower-observe            :upower-observe                 -
x11                       chromium:x11                       :x11                            -
    • 2

  2. Snaps installed with --classic aren't sandboxed.

    ...from man snap

    --classic
              Put snap in classic mode and disable security confinement

    It makes more sense to restrict some programs, and less other ones.

    • 1

  3. Actually, it's perhaps closer to the Android model than you think.

    Snap access to the rest of the system is defined by a set of interfaces. One interface for network, another interface for bluetooth, another interface for /home dir (top level only), another interface for all of /home dir, etc.

    The allowed interfaces for a snap are listed in the Snapcraft YAML file. Snapd uses that YAML file to implement access control. This is intended to set the baseline minimum access for the application to function properly .

    After a snap is installed, you (the admin) can explicitly turn any of those interfaces off (or on) using snapd. You have control.

    • 1