I suggest looking through this: Security policy and sandboxing
Importantly, it will recommend that you install ‘snappy-debug’ which can be used to suggest various things (eg, interfaces to plug, things to change in your snap, etc).
That said, based on your denials, your snap is attempting to:
- use the mknod syscall (
- use /usr/lib/x86_64-linux-gnu/perl-base/auto/IO/IO.so
For the first, this should be resolved in snapd 2.25 where we are using seccomp arg filtering for the mknod syscall to allow creating files, sockets and pipes (but not block or character devices)
For the second, you reference you are expecting your snap to use /snap/irc/current/usr/lib/x86_64-linux-gnu/perl-base/auto/IO/IO.so, but the denial is for /usr/lib/x86_64-linux-gnu/perl-base/auto/IO/IO.so. This indicates a problem with your snap not finding the proper IO.so. You may need to set PERL5LIB appropriately or otherwise adjust your snap so @INC will find your module. A snapcraft developer may be able to help further.
Interestingly, I expected /usr/lib/x86_64-linux-gnu/perl-base/auto/IO/IO.so to be allowed by the apparmor policy via the /etc/apparmor.d/abstractions/perl include file. It has:
but /usr/lib/x86_64-linux-gnu/perl-base/auto/IO/IO.so doesn’t match that. I’ll get that fixed.