A snap’s confinement level is the degree of isolation it has from your system. There are three levels of snap confinement:
--classiccommand line argument.
--devmodecommand line argument.
Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp and namespaces, to prevent applications and services accessing the wider system.
You can discover the confinement mode for any snap using the
snap info --verbose command:
$ snap info --verbose vlc [...] confinement: strict devmode: false [...]
To see which installed snaps are using classic confinement, look for classic under the Notes column in the output of
$ snap list Name Version Rev Tracking Publisher Notes vlc 3.0.6 770 stable videolan✓ - vscode 1.30.2-1546901646 75 stable snapcrafters classic wormhole 0.11.2 112 stable snapcrafters -
Each snap’s interface is carefully selected by a snap’s creator to provide specific access to a resource, according to a snap’s requirements. Common interfaces provide network access, desktop access and sound for example.
An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. The desktop interface is connected automatically, for instance, whereas the camera interface is not. See the Auto-connect column in Supported interfaces table for details on whether an interface automatically connects or not.
As with classic confinement, a snap’s publisher can request an assertion to automatically connect an otherwise non-auto-connecting interface. For example, the guvcview snap requested the camera interface be automatically-connected when the snap is installed.
If a snap is upgraded and includes a new assertion, the user will still need to connect the interface manually. Similarly, if an installed classic snap is upgraded to use strict confinement, its interfaces won’t be automatically configured.
ⓘ Overriding a strictly confined snap with
--classicis not recommended. This undoes the confinement and causes unpredictable behaviour.
You can see which interfaces are connected and disconnected with the
snap interfaces command (
vlc:camera is disconnected in the following example):
$ snap interfaces vlc Slot Plug :desktop ffmpeg,spotify,vlc :home spotify,vlc :network spotify,vlc :pulseaudio ffmpeg,spotify,vlc - vlc:camera
See Interface management for further details, including how to disconnect interfaces and make manual connections.