Question

2

Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage

rated 0 times [ 2] [ 0] / answers: 1 / hits: 2366 / 2 Years ago, sat, february 5, 2022, 2:26:35

I can open the default chromium snap on my Ubuntu 20.04 computer. I then right click on the defualt homepage, click Save As, navigate to my ~/home directory, and can proceed to save the .html file anywhere in my home directory.

Why are Snap packages marketed as "sandboxed" when they are not sandboxed in actual usage? If the chromium snap can read/write to my home directory, the chromium program, in essence, has the keys to my castle.

The average person (e.g. me) is most familiar with smartphone environments and likely understands sandboxing as meaning something like:

An app or program shall not have access to any system resource without obtaining explicit permission for said resource, by the system owner.

This is the Android and iOS paradigm I'm used to. And looking at Ubuntu documentation it seems they claim this, when in reality it's not true:

... each package is sandboxed so that it runs in a constrained environment, isolated from the rest of the system...

Or, am I missing something here?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ardtry

Add To Favorites

Follow

Total Points: 254

Total Questions: 99

Total Answers: 114

Location: Finland

Member since Fri, Oct 21, 2022

2 Years ago

ardtry questions

1 udev does not create symlink

Fri, Feb 4, 22, 21:34, 2 Years ago

1 When will GNOME 40 have the desktop interface for Ubuntu?

Sat, Nov 20, 21, 18:58, 3 Years ago

1 Unable to boot Ubuntu 20.04 LTS, always end up in busybox

Sat, May 22, 21, 18:00, 3 Years ago

1 Default audio device (typically built-in analog) does not show in Kubuntu 20.10

Mon, Jun 13, 22, 15:14, 2 Years ago

1 Global 24-hour time format in KDE Plasma

Thu, May 12, 22, 15:07, 2 Years ago

View All

answered 2 Years ago lowovey · Accepted Answer

The chromium snap package is properly confined (no classic confinement).
The snap package developers for chromium picked and chose the appropriate connections so that the package is nicely confined.

To see the list of connections, run the following. You can use that the snap package has access to your home directory, an access right that is enabled on request on the Snap Store, on a per-case basis.

$ snap connections chromium

Interface                 Plug                               Slot                            Notes

audio-playback            chromium:audio-playback            :audio-playback                 -

audio-record              chromium:audio-record              :audio-record                   -

bluez                     chromium:bluez                     :bluez                          -

browser-support           chromium:browser-sandbox           :browser-support                -

camera                    chromium:camera                    :camera                         -

content[gtk-3-themes]     chromium:gtk-3-themes              gtk-common-themes:gtk-3-themes  -

content[icon-themes]      chromium:icon-themes               gtk-common-themes:icon-themes   -

content[sound-themes]     chromium:sound-themes              gtk-common-themes:sound-themes  -

cups-control              chromium:cups-control              :cups-control                   -

desktop                   chromium:desktop                   :desktop                        -

gsettings                 chromium:gsettings                 :gsettings                      -

home                      chromium:home                      :home                           -

joystick                  chromium:joystick                  :joystick                       -

mount-observe             chromium:mount-observe             -                               -

mpris                     -                                  chromium:mpris                  -

network                   chromium:network                   :network                        -

network-bind              chromium:network-bind              :network-bind                   -

network-manager           chromium:network-manager           -                               -

opengl                    chromium:opengl                    :opengl                         -

password-manager-service  chromium:password-manager-service  -                               -

personal-files            chromium:chromium-config           :personal-files                 -

pulseaudio                chromium:pulseaudio                -                               -

raw-usb                   chromium:raw-usb                   -                               -

removable-media           chromium:removable-media           :removable-media                -

screen-inhibit-control    chromium:screen-inhibit-control    :screen-inhibit-control         -

u2f-devices               chromium:u2f-devices               :u2f-devices                    -

unity7                    chromium:unity7                    :unity7                         -

upower-observe            chromium:upower-observe            :upower-observe                 -

x11                       chromium:x11                       :x11                            -