Access to psuedo terminals with strict confinement

I could use some advice regarding packing our service as a Snap.

We have a remote administration service Dataplicity, which gives you a terminal in the browser and proxies web traffic. In many ways like ssh, but without the need to run a server.

In order for it to work, it needs to run a deamon that can create ‘psuedo terminals’, and to connect to locally running http servers.

Is this possible with ‘strict’ confinement? I’m guessing that snaps don’t have permission to access /dev/ by default.

If its not possible with ‘strict’ confinement, is our service something that Canonical will permit ‘classic’ confinement for?

Thanks in advance.

Snaps have access to certain files in /dev by default and plugging interfaces expands the devices that are allowed.

In this case, know that snap commands have their own devpts newinstance specific to the snap command, so the tty subsystem can’t be abused to sniff/inject into other snaps.

When your snap is running under strict confinement, do you see any security denials? You can either peruse the output of journalctl or use ‘sudo snappy-debug.security scanlog’ (snap install snappy-debug) which will tail the log and make suggestions.