SNAP-CONFINE(5)                               snappy                              SNAP-CONFINE(5)

       snap-confine - internal tool for confining snappy applications

          snap-confine SECURITY_TAG COMMAND [...ARGUMENTS]

       The  snap-confine  is a program used internally by snapd to construct a confined execution
       environment for snap applications.

       The snap-confine program does not support any options.

   Apparmor profiles
       snap-confine switches to the apparmor profile $SECURITY_TAG. The profile is mandatory  and
       snap-confine will refuse to run without it.

       has  to  be loaded into the kernel prior to using snap-confine. Typically this is arranged
       for by snapd. The profile contains rich description of what  the  application  process  is
       allowed  to  do,  this includes system calls, file paths, access patterns, linux capabili‐
       ties, etc. The apparmor profile can also do extensive dbus mediation.  Refer  to  apparmor
       documentation for more details.

   Seccomp profiles
       snap-confine  looks  for the /var/lib/snapd/seccomp/profiles/$SECURITY_TAG file. This file
       is mandatory and snap-confine will refuse to run without it.

       The file is read and parsed using a custom syntax that describes the set of allowed system
       calls  and  optionally  their  arguments.  The profile is then used to confine the started

       As a security precaution disallowed system calls cause the started application  executable
       to  be  killed by the kernel. In the future this restriction may be lifted to return EPERM

   Mount profiles
       snap-confine looks for the /var/lib/snapd/mount/$SECURITY_TAG.fstab file.  If  present  it
       is  read,  parsed  and  treated like a typical fstab(5) file.  The mount directives listed
       there are executed in order. All directives must succeed as any failure will abort  execu‐

       By  default  all  mount  entries  start with the following flags: bind, ro, nodev, nosuid.
       Some of those flags can be reversed by an appropriate option (e.g. rw can cause the  mount
       point to be writable).

       As a security precaution only bind mounts are supported at this time.

       snap-confine  contains a quirk system that emulates some or the behavior of the older ver‐
       sions of snap-confine that certain snaps (still in devmode but useful and important)  have
       grown to rely on. This section documents the list of quirks:

       · The /var/lib/lxd directory, if it exists on the host, is made available in the execution
         environment. This allows various snaps, while running in  devmode,  to  access  the  LXD
         socket. LP: #1613845

   Sharing of the mount namespace
       As  of  version  1.0.41  all the applications from the same snap will share the same mount
       namespace. Applications from different snaps continue to use separate mount namespaces.

       snap-confine responds to the following environment variables

              When defined the program will print additional  diagnostic  information  about  the
              actions being performed. All the output goes to stderr.

       The  following variables are only used when snap-confine is not setuid root.  This is only
       applicable when testing the program itself.

              Internal variable that should not be relied upon.

              Internal variable that should not be relied upon.

              Internal variable that should not be relied upon.

              Full path to the directory like /home/$LOGNAME/snap/$SNAP_NAME/$SNAP_REVISION.

              This directory is created by snap-confine on startup. This is a  temporary  feature
              that  will be merged into snapd's snap-run command. The set of directories that can
              be created is confined with apparmor.

       snap-confine uses the following files:

          Description of the mount profile.

          Description of the seccomp profile.

          Directory used to keep shared mount namespaces.

          snap-confine internally converts this directory to a private bind mount.   Semantically
          the behavior is identical to the following mount commands:

          mount --bind /run/snapd/ns /run/snapd/ns mount --make-private /run/snapd/ns

          A  flock(2)-based  lock file acquired to create and convert /run/snapd/ns/ to a private
          bind mount.

          A flock(2)-based lock file acquired to create or join the mount  namespace  represented
          as /run/snaps/ns/$SNAP_NAME.mnt.

          This file can be either:

          · An  empty  file  that may be seen before the mount namespace is preserved or when the
            mount namespace is unmounted.

          · A file belonging to the nsfs file system, representing a fully populated mount names‐
            pace  of a given snap. The file is bind mounted from /proc/self/ns/mnt from the first
            process in any snap.

          This file is read to decide if /run/snapd/ns/ needs to be created and  converted  to  a
          private bind mount, as described above.

       Note that the apparmor profile is external to snap-confine and is loaded directly into the
       kernel. The actual apparmor profile is managed by snapd.

       Please report all bugs with https://bugs.launchpad.net/snap-confine/+filebug


       Canonical Ltd.

1.0.43                                      2016-10-05                            SNAP-CONFINE(5)


Designed by SanjuD(@ngineerbabu)