Network-control interface (ip netns specifically) mount error

I am facing an error that should not be there, assuming I understand the “interface” functionality correctly (it should allow me to invoke and manipulate network namespaces).

snapcraft.yaml

name: hello
base: core18
version: '2.10'
 summary: GNU Hello, the "hello world" snap
 description: |
   GNU hello prints a friendly greeting.
 grade: devel
 confinement: devmode
 
 apps:
   hello:
     command: bin/hello
   bash:
     command: bash
     plugs:
         - network-bind
         - network
         - network-control
 
 parts:
   gnu-hello:
     source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz
     plugin: autotools
   gnu-bash:
     source: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
     plugin: autotools

Terminal

ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ snapcraft --debug --use-lxd
...
...
Snapping |                                                                                                                                                                                                         
Snapped hello_2.10_arm64.snap

ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ sudo snap install ./hello_2.10_arm64.snap --devmode --dangerous 
hello 2.10 installed
 
ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ snap connections hello
Interface        Plug                   Slot           Notes
network          hello:network          :network       -
network-bind     hello:network-bind     :network-bind  -
network-control  hello:network-control  -              -

ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ sudo snap connect hello:network-control

ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ snap connections hello
Interface        Plug                   Slot              Notes
network          hello:network          :network          -
network-bind     hello:network-bind     :network-bind     -
network-control  hello:network-control  :network-control  manual
ubuntu@ip-X-X-X-X:~/workspace/snap/hello$ hello.bash 
bash-4.3$ ip netns ls
bash-4.3$ ip netns add red
mount --make-shared /var/run/netns failed: Operation not permitted

Can you check whether there were any apparmor denials? Some last 10 or 20 lines of dmesg should contain the right logs.

OTOH, I’m wondering if it’s even apparmor, the error returned is EPERM, so maybe seccomp, but looking at the template for network-control, mount should be allowed.

If there’s nothing interesting in dmesg, try reinstalling the snap with --devmode flag, try the ip netns command sequence again and collect dmesg.

There we no apparmor denials (or otherwise) when launching hello.bash nor when attempting ip netns add blue.

If I understand things correctly then the interface only unblocks the system calls but it does not provide an elevated privilige, i.e. you would still have to sudo the command, right?

I have tried both --devmode and --classic, they both yield the same error.

Yes, or just be root when calling it.

Since I am not inclined to include code that elevates the privileges momentarily and since this is a private snap, I resorted to running the app as sudo.

I wonder if a better approach would be to have a host installed deamon to service all my required ‘root’ level changes for my SNAP.