Access to `/proc/{pid}` for confined processes?

Is there a way to get full access (or at least more than what’s currently provided) to /proc/{pid} for processes within a snap’s confinement?

Lutris uses the following and is probably blocked from strict confinement without them:

  • /proc/{pid}/task/{tid}/children
  • /proc/{pid}/cwd
  • /proc/{pid}/environ

and these already available with system-observe:

  • /proc/{pid}/stat
  • /proc/{pid}/cmdline

While some of these would possibly break confinement if allowed access to read for any process (e.g. environ), providing access to processes and threads within the same MAC context shouldn’t pose the same danger. (Admittedly, I don’t know what it would take within snapd to arrange that.)

1 Like