With snaps coming to 16.04 LTS, there is a blog post by Matthew Garrett, a well known Linux kernel contributor and core OS developer, saying:
…snaps are running unconfined and have access to pretty much the entire system
If the point of having snaps was to enforce app isolation from the whole system, why are they able to access the system and run unconfined? Should a bug report be filed? Are any steps going to be taken to address this problem?
Best Answer
This specifically relates to snaps that use X11. In other words, snaps are not running unconfined, but if the confinement of the snap includes access to X, then yeah: it has access to X. It does not involve snaps that don't use the
unity7
orx11
interfaces. The issue described in that blog post is a well-known limitation of X, and is one of the reasons alternative technologies are being developed (e.g. Mir).Gustavo Niemeyer has written a good blog post that discusses this. I'll quote here for posterity and completeness: