Hi, I’d like to make a classic confinement request for fnotifystat. This is a useful tool for monitoring file activity (e.g. debugging why file systems are busy).
fnotifystat request access to various per process /proc files to get command line information from /proc/*/cmdline and process name information from /proc/*/comm, pid sizes from /proc/sys/kernel/pid_max, mount information /proc/self/mounts and file description information from /proc/*/fd/*. Currently the system-observe plugin won’t cater for some of the more esoteric per-process information that the tool would like to read.
Does fnotifystat require write access to any of the /proc files? If it’s all just read, perhaps you could try using the system-backup interface which allows read access to any file?
Hi, could you be more specific about how system-backup doesn’t work for this use case? I realize it’s not really what that interface is for, but do you see any AppArmor denials when running fnotifystate with the system-backup interface connected for the snap? You can also install the snap in devmode and see audits in the system journal that were allowed that would be denied in strict mode.