Anyone running WINE apps are likely to need ptrace, similar to steam, because of the way that WINE operates. In my opinion, therefore, it would be better to come up with a generic interface which allows ptrace-of anything within a snap app’s label, e.g. ‘snap.cncredalert.cncredalert’ for my current work using WINE which dies a horrid death from lack-of-mortality (signal 31).
Restricting to app label will prevent other apps in the same snap from ptracing each other (good) but allow a hierarchy started from each app definition to ptrace within their own chain:
apps:
ptracable:
command: foo
plugs: [ptrace]
other-ptracable:
command: bar
plugs: [ptrace]
- ptracable can ptrace itself only
- other-ptracable can ptrace itself only
- both can ptrace other processes started directly by them, but not by each other