-
Notifications
You must be signed in to change notification settings - Fork 587
Snap Execution Environment
Snap applications and hooks execute in a specially crafted environment. The word environment does not merely refer to environment variables but to the set of observable properties of the system.
When a snap application is started it is typically done so by executing one of the programs in the /snap/bin/
directory. Curious observer will notice that all such applications are symbolic links to /usr/bin/snap
. The snap
executable detects this and behaves as if snap run
had been invoked. This locates the correct snap and application name and proceeds to exec
the first helper program, snap-confine
.
The purpose of snap-confine
is twofold: As the name implies it is responsible for confining the started process by establishing the security sandbox. In addition it also sets up the mount namespace of the process in a way that will be described below.
Confined and in a modified mount namespace, snap-confine
proceeds to run (no longer with elevated permissions) the last of the helper programs called snap-exec
. The purpose of that program is to parse the snap.yaml
file belonging to the application that is being started and execute the command listed there.
All of the transitions here, from the /snap/bin/foo -> /usr/bin/snap
, to snap-confine
and snap-exec
are done with the exec
system call. At all times there is only one process going through this transition.
Applications built with snapcraft usually have one more step. The actual command that was spelled out in the snapcraft.yaml
file is moved to a shell wrapper script command-SNAP-APP-wrapper
. The wrapper sets PATH
, LD_LIBRARY_PATH
and executes the real command.
TBD
TBD
TBD
violethaze74 This is the snapd wiki, feel free!