Publishing Ella Core as a strictly confined snap - eBPF privilege

Hello,

I am aiming to publish Ella Core as a strictly confined snap. The upload failed because the system-files interface is a super-privileged interface and requires a store request. There it is.



The snap also uses the following interfaces though I don’t think they require manual review:

  • network
  • network-bind
  • network-control
  • process-control
  • system-observe

Thank you,

Given the reasoning and the purpose of the snap, +1 from me for auto-connect of system-files read/write (sys-fs-bpf-upf-pipeline)

1 Like

As far as I understand from your request, only manual connection is needed here ( request-type: installation and connection). +1 also from me.

+2 for, 0 against granting ella-core manual connection to the requested system-files interface. Publisher is vetted. This is now live.

It should pass automatic review as soon as you remove the read attribute from the plug definition in your snapcraft.yaml (write attribute grants both read and write).

plugs:
  sys-fs-bpf-upf-pipeline:
    interface: system-files
    write:
    - /sys/fs/bpf/upf_pipeline
1 Like