The documentation on Security has some tips on fine tuning AppArmor policies and as a final step advises to copy the policy to the interface code ,but there is no resource or link on how to create our own custom interfaces. Can any one share any info regarding the same , please ?
When fine-tuning AppArmor policy, it is often easiest to install the snap in strict mode then modify the AppArmor policy in place on the target system, then copying it back. Eg, these steps might be:
build your snap
copy your snap to your target device and install it (or use snap try)
use the snap (perhaps using snap run --shell .), monitoring /var/log/syslog for denials
modifying /var/lib/snapd/apparmor/profiles/snap.. as needed (eg, adding rules before the final })and running sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.. to load the policy into the kernel
use sudo service snap.. stop/start/etc as needed for daemons
repeat until satisfied
The same process as above holds for seccomp except the seccomp policy is in /var/lib/snapd/seccomp/profiles/snap.. and there is no command to load the policy (you simply have to relaunch the command or snap run --shell). The seccomp policy language is considerably simpler and is essentially a list of allowed syscalls.
When done, copy any changes you make to /var/lib/snapd/apparmor/profiles/snap.. or /var/lib/snapd/seccomp/profiles/snap.. to your interface code.