Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage

I can open the default chromium snap on my Ubuntu 20.04 computer. I then right click on the defualt homepage, click Save As, navigate to my ~/home directory, and can proceed to save the .html file anywhere in my home directory.

Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage? If the chromium snap can read/write to my home directory, the chromium program, in essence, has the keys to my castle.

The average person (e.g. me) is most familiar with smartphone environments and likely understands sandboxing as meaning something like:

An app or program shall not have access to any system resource without obtaining explicit permission for said resource, by the system owner.

This is the Android and iOS paradigm I'm used to. And looking at Ubuntu documentation it seems they claim this, when in reality it's not true:

... each package is sandboxed so that it runs in a constrained environment, isolated from the rest of the system...

Or, am I missing something here?

2

3 Answers

The chromium snap package is properly confined (no classic confinement). The snap package developers for chromium picked and chose the appropriate connections so that the package is nicely confined.

To see the list of connections, run the following. You can use that the snap package has access to your home directory, an access right that is enabled on request on the Snap Store, on a per-case basis.

$ snap connections chromium
Interface Plug Slot Notes
audio-playback chromium:audio-playback :audio-playback -
audio-record chromium:audio-record :audio-record -
bluez chromium:bluez :bluez -
browser-support chromium:browser-sandbox :browser-support -
camera chromium:camera :camera -
content[gtk-3-themes] chromium:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] chromium:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] chromium:sound-themes gtk-common-themes:sound-themes -
cups-control chromium:cups-control :cups-control -
desktop chromium:desktop :desktop -
gsettings chromium:gsettings :gsettings -
home chromium:home :home -
joystick chromium:joystick :joystick -
mount-observe chromium:mount-observe - -
mpris - chromium:mpris -
network chromium:network :network -
network-bind chromium:network-bind :network-bind -
network-manager chromium:network-manager - -
opengl chromium:opengl :opengl -
password-manager-service chromium:password-manager-service - -
personal-files chromium:chromium-config :personal-files -
pulseaudio chromium:pulseaudio - -
raw-usb chromium:raw-usb - -
removable-media chromium:removable-media :removable-media -
screen-inhibit-control chromium:screen-inhibit-control :screen-inhibit-control -
u2f-devices chromium:u2f-devices :u2f-devices -
unity7 chromium:unity7 :unity7 -
upower-observe chromium:upower-observe :upower-observe -
x11 chromium:x11 :x11 -
2

Snaps installed with --classic aren't sandboxed.

...from man snap

--classic Put snap in classic mode and disable security confinement

It makes more sense to restrict some programs, and less other ones.

2

Actually, it's perhaps closer to the Android model than you think.

Snap access to the rest of the system is defined by a set of interfaces. One interface for network, another interface for bluetooth, another interface for /home dir (top level only), another interface for all of /home dir, etc.

The allowed interfaces for a snap are listed in the Snapcraft YAML file. Snapd uses that YAML file to implement access control. This is intended to set the baseline minimum access for the application to function properly .

After a snap is installed, you (the admin) can explicitly turn any of those interfaces off (or on) using snapd. You have control.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like