I try to create a snap for a software of mine (unprofession-al/proxyproxy on github) that needs to access a bunch of syscalls (basically the software need the syscalls in order to get noticed when network interface settings change). Find the details about the syscalls here: https://github.com/unprofession-al/proxyproxy/blob/master/netlink.go#L13.
All works certainly fine when the confinement is set to classic. Using strict seems to be a bit of a hassle. The networking stuff works nice (the software needs to bind to a port on localhost which is achieved by the network and network-bind plugs) but the syscalls are not recognized (which I tried to achieve with the network-observe and hardware-observe plugs). Find the current settings for the snap here: https://github.com/unprofession-al/proxyproxy/blob/master/.goreleaser.yml#L39
Is there any suggestion on how to allow the snap to receive those syscalls with confinement strict?
Hi there. I guess the answer to the first question is ‘no’ but I am not sure… snap connections $SNAP_NAME did not work (subcommand connections does not exist). Was it interfaces you wanted to ask for? The output is:
It’s interesting that you’re running an older version of snapd and it hasn’t updated itself… Can you try running snap refresh core?
Anyways, yes snap interfaces also has the relevant information. In this case, the hardware-observe and network-observe interfaces have not been connected. You can connect them like so:
The connect worked but did not fix the issue of syscalls not reaching the app. Couple of questions here:
Why are network and network-bind connected automatically after start but not the *.observe ones? How can I make them autoconnect? I have no intend to reconnect the interfaces since I am certain that I want them connected and the software in worthless if it is not.
Again: How do I get the syscalls to reach my application?
Where can I find information on what the plugs actually do? The doc at https://snapcraft.io/docs/hardware-observe-interface et al. is insufficient since there is no hint an what reading and reporting of system hardware details actually means.
What denials do you see in the system journal? I.e. what is the output of journalctl -e --no-pager | grep DENIED when you snap is installed in strict mode and you try to run it?
Hello @ijohnson. Sorry for my late response… journalctl ... did the trick, I managed to find out. A request for auto-connect will arrive soon in the appropriate category.