Snap Application Permissions

We have already written about snaps and its advantages against other packaging application system. If we compare RPM and DEB packages to snaps we can see on snaps automatic background updates allowing up-to-date applications, with bugs fixes more frequently.

A snap app is packaged with all dependencies making the application very big in comparison with other packages. We can add to snap disadvantages the old-style cursor on some applications and configuration or data loss on eclipse – Snapcrafters version (Note that this is not an official release from eclipse.org, if you want an official release, grab it here. But this doesn’t mean that snaps are all disadvantages, below you can see some advantages:

• Applications always updated disregarding your Distro Version. You just need to have snapd installed on your distro and you are good to go. You can see here if your distro supports snaps
• The applications are mostly sandboxed (you will understand below why is it mostly and not all), which means if the app has a malware can’t affect the whole system.
• If your application crashes and you need a previous version you can choose a different, older revision and use it right away and it takes less than 5 seconds to revert to an older version but note that for this to happen you must have updated at least from one version. After a new version of the same app is launched snap-core will jump straight to this new version skipping the version with the problem. Snaps also have many types of application confinements but we will only mention 2 most important:
• Strict – The application only have permission to its snap folder home location /snap/<appname>, it can’t write to root folder;
• Classic –  The application works almost like a DEB application with the advantage of automatic updates but, this type of confinement have permission to the whole system (root folder, home folder, etc) with a small difference the files of this type of applications are set as read-only making it difficult for malware to change it.

How to access home folder if my app has only access to it on snap home folder?

snaps have plugs that allow the certain functionality of applications this plugs can be called Permissions and interfaces. These Interfaces are declared in the yaml file when the snap applications are being generated. Some plugs are connected by default, two examples are the plug to connect to home folder and the plug to connect to the network.

There are also some permissions of plugs that have to be connected manually by the users, as an example we have a plug for removable media and printing services or cups-control.

There are times where applications needs auto-connection for plugs that don’t allow auto-connection, on this cases is where snap reviewers come in.

​Manual connection on this type of applications can reduce performance or functionality, snap reviewers analyze if the application really needs to have that special plugs auto-connected and through a  voting method the application can have plugs automatically connected.

Connected interfaces can be viewed through Software Store or through command line allowing a user with permissions to connect or remove plugs.
​
Below is a Gimp application –

and these are the permissions  –

Through the command line, it follows below:

$ snap interfaces gimp
Slot      plug
:home     gimp, gnome-characters, gnome-logs
-         gimp:cups-control
-         gimp:removable-media
-    (...)

The code and image above show that printing and removable media doesn’t have any permissions. To change permission the user needs to allow as a superuser to change the interfaces statutes.

Conclusion

snap applications have come to make our life much easier, we now can install applications with just one click and forget about updates. No PPAs added, don’t have to control if an app has a new version that you missed. Have you used a snap application? Give it a try and leave your thoughts below

SOURCE: https://blog.ubuntu.com/2018/11/01/a-guide-to-snap-permissions-and-interfaces