Skip to content

Snap Execution Environment

Zygmunt Krynicki edited this page Feb 7, 2017 · 7 revisions

Snap applications and hooks execute in a specially crafted environment. The word environment does not merely refer to environment variables but to the set of observable properties of the system.

Starting applications

When a snap application is started it is typically done so by executing one of the programs in the /snap/bin/ directory. Curious observer will notice that all such applications are symbolic links to /usr/bin/snap. The snap executable detects this and behaves as if snap run had been invoked. This locates the correct snap and application name and proceeds to exec the first helper program, snap-confine.

The purpose of snap-confine is twofold: As the name implies it is responsible for confining the started process by establishing the security sandbox. In addition it also sets up the mount namespace of the process in a way that will be described below.

Confined and in a modified mount namespace, snap-confine proceeds to run (no longer with elevated permissions) the last of the helper programs called snap-exec. The purpose of that program is to parse the snap.yaml file belonging to the application that is being started and execute the command listed there.

All of the transitions here, from the /snap/bin/foo -> /usr/bin/snap, to snap-confine and snap-exec are done with the exec system call. At all times there is only one process going through this transition.

Applications built with snapcraft usually have one more step. The actual command that was spelled out in the snapcraft.yaml file is moved to a shell wrapper script command-SNAP-APP-wrapper. The wrapper sets PATH, LD_LIBRARY_PATH and executes the real command.

In depth: applying confinement

TBD

In depth: setting up the mount namespace

TBD

In depth: preserving the mount namespace

TBD

Clone this wiki locally