Verify snap application runs in a container

Question

I'm new to snap (snapd), but from what I have read the snap support sanboxed app environments out of the box (Snap vs Flatpak vs AppImage).

Question: Is it there a way for me to verify that the application itself actually is "sandboxed"? Can I verify that it is running in a container, and how?

Thanks.

Snap applications can run in various confinement models, strict which is default, and classic which allows far more liberal access to your system (ie. can read & write to your file-system much like deb packages can). Don't forget one snap confinement model differs to another. https://snapcraft.io/docs/snap-confinement — guiverc, Sep 03 '20 at 06:33
For chromium (browser) try and upload a file to a website and navigate what looks like your filesystem, at the same time comparing to what's really in those directories. You'll see note the files don't match, as the snap is restricted to a fs that exists within the snap itself. Yes you can add extra directories via snap connect etc, but only within certain limits. (Chromium runs in a strict confinement model) — guiverc, Sep 03 '20 at 06:36
Hmmm, ok. So the snap way of solving this "sandboxing" is to give each application an own filesystem? I didn't quite get the chromium example: If I upload a file, I would think the application (chromium) would copy that file to its dedicated fs, if that makes sense? — user1098490, Sep 03 '20 at 08:23
Sorry, with chromium you're uploading a file to a website (any website), and exploring your 'local' file system looking for a file to upload.. If you navigate to directories where you know a file is located (outside of $HOME; chromium can read any $HOME directory) you'll quickly discover the file-system the snap sees is pretty sparse & empty and doesn't match your real file-system.. snap connect can add /mnt/ and /media/ access, but that's as far as the confinement allows. See also https://askubuntu.com/questions/1184357/why-cant-chromium-suddenly-access-any-partition-except-for-home — guiverc, Sep 03 '20 at 08:56
Ok, yeah - that makes sense. Can only access files in HOME-directory. Thanks- — user1098490, Sep 03 '20 at 11:12

score 0 · Accepted Answer · answered Sep 03 '20 at 09:46

0

You can verify the snap confinement mode with the command snap info --verbose , e.g.

snap info --verbose chromium
name:    chromium
...
notes:               
...
  confinement:       strict
  devmode:           false
...

List your installed snaps with snap list.

answered Sep 03 '20 at 09:46

vanadium

88,010

Yes, that's the confinement value, but I have read that Ubuntu (X11) does not support the isolation that snap comes with. – user1098490 Sep 03 '20 at 10:16
The confinement value confirms that your app is sandboxed, and has only access to specific parts of the system as specified by the allowed "interfaces". If you want to challenge something you have read, then ask that directly in a new question. Your current question is "verify it runs in a container". – vanadium Sep 03 '20 at 10:27

Verify snap application runs in a container

1 Answers1