Interfaces allow (or deny) access to a resource outside of a snap’s confinement and, generally, any snap can declare any supported interface.
However, there is a limited set of interfaces that require extra scrutiny when their plugs are included in a snap. This is due to their permissive nature and the control and impact they potentially have over a system.
These interfaces are called super-privileged, and snaps that include plugs for super-privileged interfaces require specific approval from the Store before they can be distributed and installed.
Super-privileged interfaces
| Interface | Description | Categories | Auto-connect |
|---|---|---|---|
| auditd-support | permits snaps to operate as auditd service | Super privileged | no |
| block-devices | access to disk block devices | Super privileged, Storage, Low level | no |
| classic-support | enable resource access to classic snap | Super privileged, Ubuntu Core | no |
| custom-device | permits access to a specific class of device | Super privileged, Ubuntu Core | no |
| desktop-launch | identify and launch desktop apps from other snaps | Super privileged, Desktop | no |
| dm-crypt | access encrypted storage devices | Super privileged, Ubuntu Core, Storage | no |
| docker | start, stop, or manage Docker containers | Super privileged, Containers | no |
| docker-support | allows operating as the Docker daemon | Super privileged, Containers | no |
| gpio-control | allows to export/unexport and control all GPIOs | Super privileged, GPIO | no |
| greengrass-support | allows operating as the Greengrass service | Super privileged, Edge, AWS, Discrete | no |
| ion-memory-control | access Android’s ION memory allocator | Super privileged, System | no |
| kernel-firmware-control | permits a custom kernel firmware search path | Super privileged | no |
| kernel-module-control | insert, remove and query kernel modules | Super privileged, System, Kernel | no |
| kernel-module-load | load, or deny loading, specific kernel modules | Super privileged, System, Kernel | no |
| kubernetes-support | use functions essential for Kubernetes | Super privileged, Hypervisor, Discrete | no |
| lxd | provides access to the LXD socket | Super privileged, Container, Discrete | no |
| lxd-support | allows operating as the LXD service | Super privileged, Container, Discrete | no |
| microceph | permits access to the MicroCeph socket, which is used internally by the microceph snap | Super privileged, Container | no |
| microceph_support | permits the microceph snap to operate as the MicroCeph service | Super privileged, Container | no |
| microovn | used only by the MicroOVN snap for socket access | Network, Super privileged | no |
| microstack-support | multiple service access to the Microstack infrastructure | Super privileged, Container, Discrete | no |
| mount-control | mount and unmount transient and persistent filesystem mount points | Super privileged, Storage | no |
| multipass-support | multipass-support allows operating as the Multipass service | Super privileged, VM, Discrete | no |
| nvidia-drivers-support | internally used NVIDIA access | Super privileged, Ubuntu Core | no |
| packagekit-control | control the PackageKit service | Super privileged, Packaging | no |
| personal-files | read or write files in the user’s home directory | Super privileged, Personal data, Attributes | no |
| pkcs11 | enables the cryptographic token interface standard to be used | Security, Super privileged | no |
| polkit | access to the polkit authorisation manager | Security, System, Super privileged | no |
| polkit-agent | permits applications to register as polkit agents | Security, System, Super privileged | no |
| posix-mq | enables inter-process communication (IPC) messages | Super privileged, IPC | no by default, yes with snaps from the same publisher |
| remoteproc | interact with the kernel’s Remote Processor Framework | Super privileged | no |
| scsi-generic | read and write access to SCSI Generic driver devices | Storage, Super privileged | no |
| sd-control | control SD cards on specific devices | Super privileged, Storage | no |
| shared-memory | enables two snaps to access the same shared memory | Super privileged, IPC | no |
| snap-refresh-control | permits bespoke snap refresh control | Super privileged, Packaging | no |
| snap-refresh-observe | enables the tracking of snap refreshes | Super privileged, Packaging | no |
| snapd-control | install or remove software | Super privileged, Packaging | no |
| steam-support | allows the Steam snap to access pressure-vessel containers | Super privileged, Discrete | no |
| shutdown | restart or power off the device | Super privileged, System, Power | no |
| system-files | read or write files in the system | Super privileged, Storage, Attributes | no |
| tee | permits access to the Trusted Execution Environment | Super privileged, Security, Ubuntu Core | no |
| uinput | allows write access to /dev/uinput | Super privileged, Hardware | no |
| unity8 | share data with other Unity 8 apps | Display, Super privileged | yes |
| userns | permits a snap to create a new namespace | Super privileged | no |
| xilinx-dma | allows access to Xilinx DMA IP from a connected PCIe card | Ubuntu Core, Super privileged | no |
Last updated 9 months ago.