Ubuntu Posted September 15, 2020 Share Posted September 15, 2020 One of the defining features of snaps is their strong security. Snaps are designed to run isolated from the underlying system, with granular control and access to specific resources made possible through a mechanism of interfaces. Think of it as a virtual USB cable – an interface connects a plug with a slot. Security and privacy conscious users will certainly be interested in knowing more about their snaps – what they can do and which resources they need at runtime. To that end, you can use the handy snap interface and snap connections commands. Aw, snap…interface! The snap interface command allows you to see the list of all the different snaps that have been granted access (automatically or manually) to any of the supported snap interfaces. This way, at a glance, you can have an immediate mapping of the system access for your snaps. For instance: snap interface homename: homesummary: allows access to non-hidden files in the home directoryplugs: - cncra - cncra2yr - cppcheck - doctl - gimp - heimer - icdiff - irfanview The output provides an explanation of what the interface does, and then the list of all the connected plugs for the home interface. Similarly, you can also see the list of all the interfaces that have at least one plug on your system. snap interface...desktop-legacy allows privileged access to desktop legacy methodsgsettings allows access to any gsettings item of current userhardware-observe allows reading information about system hardwarehome allows access to non-hidden files in the home directorykernel-module-control allows insertion, removal and querying of kernel moduleslog-observe allows read access to system logslxd-support allows operating as the LXD servicenetwork allows access to the networknetwork-bind allows operating as a network servicenetwork-control allows configuring networking and network namespacesnetwork-manager allows operating as the NetworkManager serviceopengl allows access to OpenGL stack... From a security and/or privacy perspective, you can quickly inspect your system and determine whether there are any potential gaps in your baseline, or whether there are applications that have the ability to utilise resources that you may not necessarily want to allow. This can be quite useful if you have devices that are not necessarily used in an interactive way, like IoT gateways, allowing you to inspect and monitor their configuration. It’s all about connections It is worth mentioning that the information provided by the snap interface command is a transpose of the data you can obtain by running snap connections. This one-liner allows you to see all the connected snaps for each interface, or all the interfaces defined for each snap (whether they are connected or not). snap connectionsInterface Plug Slot Notesaudio-playback cncra2yr:audio-playback :audio-playback -audio-playback libreoffice:audio-playback :audio-playback -audio-playback obs-studio:audio-playback :audio-playback -audio-playback vlc:audio-playback :audio-playback -audio-record obs-studio:audio-record :audio-record -browser-support obs-studio:browser-support :browser-support -browser-support spotify:browser-support :browser-support -camera obs-studio:camera :camera -content[gtk-3-themes] cncra2yr:gtk-3-themes gtk-common-themes:gtk-3-themes -content[icon-themes] cncra2yr:icon-themes gtk-common-themes:icon-themes -content[wine-3-stable] cncra2yr:wine-3-stable wine-platform-3-stable:wine-3-stable -content[wine-runtime] cncra2yr:wine-runtime wine-platform-runtime:wine-runtime -content[gtk-3-themes] cncra:gtk-3-themes gtk-common-themes:gtk-3-themes -content[icon-themes] cncra:icon-themes gtk-common-themes:icon-themes -content[wine-3-stable] cncra:wine-3-stable wine-platform-3-stable:wine-3-stable -content[wine-runtime] cncra:wine-runtime wine-platform-runtime:wine-runtime -content[gnome-3-28-1804] gimp:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -content[gtk-3-themes] gimp:gtk-3-themes gtk-common-themes:gtk-3-themes For instance, you may want to know what the kompoZer snaps requires: snap connections kompozerInterface Plug Slot Notescontent[gtk-2-engines] kompozer:gtk-2-engines gtk2-common-themes:gtk-2-engines -content[gtk-2-themes] kompozer:gtk-2-themes gtk-common-themes:gtk-2-themes -content[icon-themes] kompozer:icon-themes gtk-common-themes:icon-themes -desktop kompozer:desktop :desktop -desktop-legacy kompozer:desktop-legacy :desktop-legacy -home kompozer:home :home -removable-media kompozer:removable-media - -unity7 kompozer:unity7 :unity7 -x11 kompozer:x11 :x11 - When it comes to system configuration and inspection, the output provided by this command allows you to focus on specific snaps rather than specific resources. It can also help you troubleshoot any potential problems with snaps at runtime. A good example here would indeed be kompoZer. The snap has the removable-media interface defined, but for security reasons, it is not auto-connected. This means that if you try to reach and open files that reside on a USB drive, for example, kompoZer will not be able to access them. You can inspect the list of connections that this application uses, quickly determine that the removable-media plug is not connected, and then manually connect it on the command line with snap connect. If you are not comfortable with the command-line, the Ubuntu Software frontend allows you to toggle connections on and off using a simple applet. Summary The snap interface management functionality gives security-minded Linux users a high degree of granular control over their applications. In this case, unlike social media, you want as few connections for your snaps as possible, without compromising on the functionality. The snap interface and connections commands give you an instant overview of your snap ecosystem state, allowing you to quickly adjust and trim permissions as you go about your Linux adventure. If you have any comments or suggestions, please join our forum for a discussion. Photo by israel palacio on Unsplash. View the full article Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.