Of course, we still have access to the network and the file access is a failure. NETWORK : No statement can catch the ChuckNorrisException. Let’s connect our camera plug to the ubuntu core slot before rerunning the application: $ snap connect chuck-norris-webserver:camera :cameraĬAMERA : I can see you, you should smile more! It’s all making sense! Giving access to the camera However, access to the camera and some files in the home directory was denied. Indeed, we got a Chuck Norris quote from the network. NETWORK : Chuck Norris doesn't pair program. HOME ACCESS : What's happening? I can't even read your home directory. Running the command line tool after installing the snap gives us: $ chuck-norris-webserver.cliįILE SYSTEM: I see from /etc/os-release that I'm running on Ubuntu Core 16.ĬAMERA : Urgh, even Chuck doesn't have access to the camera Let’s check that in practice! Default behavior You can refer to relevant tutorials on how to create a device and the gadget snap for overriding the default policy of your device. This default behavior is defined in snapd and the gadget snap of your device. Indeed, some interfaces will auto-connect on install (the ones considered safe, like having access to the network), some won’t (like accessing the user’s camera). On the contrary, the last line will show that the camera plug isn’t connected to the core camera slot. It’s similar for the network interface which is needed by the command line tool to get access to the network. The slot and plugs have been connected automatically. This interface is used for the daemon to listen on a TCP port, which is kind of useful for a webserver to accept incoming requests on that port! Note that you didn’t have to do anything manually. You have the confirmation here that chuck-norris-webserver connects its network-bind plug to the network-bind slot from the core snap (slot, plug and interface names are abbreviated when they all match). It also depends on your hardware capabilities (the gadget snap, to be precise), which defines which additional interfaces your device can expose, like GPIO devices, camera, I2C and such… This list of interfaces evolves over time.
Now list all available interfaces on our machine: $ snap interfaces
Better for both sides to match! Listing interfacesįirst, install the chuck-norris-webserver test snap: $ snap install chuck-norris-webserver For an easy analogy, thinks of a plug as an electrical plug, slot is what you put the plug into, and the interface is the voltage amount chosen (permissions here) which will be sent over through that interface. The snap plug corresponding to that interface will connect to the core slot which declares that same interface. Permissions are given through one or multiple interfaces. We’ll then shortly explore devmode and what its implications are, before jumping to classic snaps. Let’s look at interfaces first, which are what confined snaps are using. Those should only be installed when you fully trust the developers, and throw away a great part of snaps security model (trustability in applications, which can’t touch or destroy parts they don’t have access to), but it can be convenient, at least for developers. There is a mode, called “devmode” which sets the snap basically unconfined, meaning having all access to our system. Handling interfaces and permissions in your snapsĪll snaps downloaded in the stable channel are confined.