But I could not find any relevant documentation on those requirements. Is there a way to allow the existing name of the socket or we absolutely have to rename it? Where is the bind deny definition living? Searching in apparmor files i could not find.
that’s my point: i have no idea what precisely is this listen-stream, a few hints suggests this may be related to sockets of daemon services, but it’s not clear.
Well, the question was not just about that but also seeking confirmation that this was the intended behavior, since it looks rather intrusive. Maybe this is something that could be fixed in the future?
There’s patterns elsewhere in snapd that follow this, for example, you can’t place arbitrary files in /dev/shm/, they have to follow a prefix of snap.$SNAP_NAME, because otherwise your app can just poke around at /dev/shm/ being used by any process.
Snap tends heavily towards defaulting to denying operations and using interfaces to relax the restrictions rather than allowing by default; abstract sockets are included in this when you consider e.g., what e.g., leaving the abstract X11 socket open would mean, should the default policy not prevent e.g., a command line application from being able to read the keyboard even if it doesn’t need that scope.
For Firefox, you might have an exception in that you’d likely be able to modify the browser-support interface in snapd itself in order to get access to that abstract socket without renaming it. Whether this is preferable would come down really to how likely it is for this to be upstreamed (possibly so, given half the browser-support interface is built for Firefox and Chromium themselves) and then how long it would take for people to download a newer snapd version with the changes in so they begin to apply it.
Renaming it avoids having to worry about that entirely.
It’s okay if we need to change on our side, the fix was quick and is riding the train that’s not really a problem, the bigger issue here I see is more the doc was hard to find if existing at all, and I’m always worried a bit about third parties we may have to interact to, if they dont have proper support of Snap (but I dont know any, so maybe that’s not a real problem).