More privileged interfaces for strict aws-gadget snap

toabctl · October 1, 2025, 8:34am

name: aws-gadget
description: This gadget enables AWS EC2 instances to run Ubuntu Core
snapcraft: aws-gadget/snapcraft.yaml at 24 · canonical/aws-gadget · GitHub
upstream: GitHub - canonical/aws-gadget: The gadget snap for AWS
upstream-relation: The Canonical public cloud team is upstream for this snap
interfaces:
- network-control:
  - request-type: installation & auto-connection
  - reasoning:
    - need to write to
      - /proc/sys/net/ipv4/neigh/default/gc_thresh2
      - /proc/sys/net/ipv4/neigh/default/gc_thresh3
      - /proc/sys/net/netfilter/nf_conntrack_max

The PR using this new interface is fix: manually write value to /proc/sys/net/netfilter/nf_conntrack_max by toabctl · Pull Request #11 · canonical/aws-gadget · GitHub

store-requests-bot · October 1, 2025, 9:00am

This request has been added to the queue for review by the @reviewers team.

elisehdy · October 1, 2025, 10:37pm

+1 (#voteFor) for allowing system-files auto-connect for /proc/sys/net/netfilter/nf_conntrack_max given the provided context.

toabctl · October 2, 2025, 7:36am

@elisehdy thanks for the review. I had to adjust the interface requirements a bit (add write permissions to /proc/sys/net/ipv4/neigh/default/gc_thresh2 and /proc/sys/net/ipv4/neigh/default/gc_thresh3). could you have another look please?

jslarraz · October 2, 2025, 9:25am

Hey @toabctl

I think that network-control interface should be used instead. Any particular concern?

toabctl · October 2, 2025, 10:52am

How would that look like (in snapcraft.yaml) and how would those settings persists after reboots? Looking at https://snapcraft.io/docs/network-control-interface isn’t very helpful here.

ogra · October 2, 2025, 11:00am

The network-control interface gives your app full write access to dirs underneath /proc/sys/net/ipv4 so it should be sufficient:

github.com

canonical/snapd/blob/master/interfaces/builtin/network_control.go#L194


      
          
          @{PROC}/@{pid}/net/ r,
          @{PROC}/@{pid}/net/** r,
          
          # used by sysctl, et al
          @{PROC}/sys/ r,
          @{PROC}/sys/net/ r,
          @{PROC}/sys/net/core/ r,
          @{PROC}/sys/net/core/** rw,
          @{PROC}/sys/net/ipv{4,6}/ r,
          @{PROC}/sys/net/ipv{4,6}/** rw,
          @{PROC}/sys/net/netfilter/ r,
          @{PROC}/sys/net/netfilter/** rw,
          @{PROC}/sys/net/nf_conntrack_max rw,
          
          # For advanced wireless configuration
          /sys/kernel/debug/ieee80211/ r,
          /sys/kernel/debug/ieee80211/** rw,
          
          # read netfilter module parameters
          /sys/module/nf_*/                r,

If you connected it (either from the gadget, manually or via an approved auto-connect request here in the forum (even via this thread)), the access will be persistent …

toabctl · October 2, 2025, 11:07am

Adjusted the linked PR and the request here.

Thanks a lot for the hints & help!

elisehdy · October 2, 2025, 5:42pm

Thank you for the updates @toabctl! Looking at the PR, does this change mean that write access to /run/mnt/ubuntu-data/system-data/_writable_defaults/etc/sysctl.d/50-aws-gadget.conf can be revoked?

toabctl · October 6, 2025, 6:57am

yes, this can be revoked.

toabctl · October 6, 2025, 5:51pm

could I get more votes please?

0xnishit · October 7, 2025, 2:47am

looks good to me, +1 (#voteFor) from my side for auto-connection of network-control interface to aws-gadget snap

elisehdy · October 7, 2025, 9:41pm

Thanks! +1 (#voteFor) for the modified request, auto-connection for network-control interface for the aws-gadget snap.

bowen · October 13, 2025, 11:20am

Per the interface policy, network-control has been configured for auto-connection: 2 votes in favour after a week. Thanks all!