Prompting Client is the latest security effort for snap software, and acts as a companion to the new desktop Security Center app.
As you may have read in my article last week, Prompting Client is a security buffer — think doorman — that guards your home folder. Whenever a snap app wants to access non-hidden files within, Prompting Client intervenes to ask you to approve.
I’ve been tracking this tool’s development for a while but there wasn’t really a lot of explanation or rationale behind it on the project’s Github, and some of the links in commits and issues filed by Canonical engineers were protected.
Secrecy over; today, Canonical has revealed all about its (experimental for now) security effort.
The dialog that appears has two modes:
- Simple prompt screen (default)
- Advanced options (for fine-grained control)
Canonical describes these new interstitial permission requests as being a “critical tool for privacy and security conscious users to control, manage and understand the behaviour of applications running on their machines”.
You can see ‘nag’ screen in action in the following GIF, where trying to save an image from the browser to a Home folder directory triggers in a permission prompt to appear: –
Snaps already use cross-distro/format XDG Desktop Portals to control permissions, but its home-grown prompting effort “distinguishes itself […] by enabling fine-grained access control over unmodified binaries without requiring changes to the application code.”
How? By using Ubuntu’s (now very) stringent AppArmor security mechanism. This is what allows it to force all snap apps to adhere to the controls and permissions given by the user, which is a good thing.
In effect, prompting gives Ubuntu users yet another layer of control over snap app permissions, the folders and file paths they can access, and for how long.
Prompting won’t be enabled by in Ubuntu 24.10 by default, but it will be available as an experimental opt-in feature, accessed by a toggle in the new desktop Security Center app — which is being ‘seeded’ in Ubuntu 24.10 (i.e., preinstalled).
An update to AppArmor and snapd packages are set to roll out to Ubuntu 24.10 daily build users in the coming days (ahead of next week’s beta release) to plumbs in the relevant code required to support prompting functionality.