Publishing eUPF as a strictly confined snap - eBPF privilege

Hello,

I am aiming to publish eUPF as a strictly confined snap. The upload failed because the system-files interface is a super-privileged interface and requires a store request. There it is.


The snap also uses the following interfaces though I don’t think they require manual review:

  • network
  • network-bind
  • network-control
  • process-control
  • system-observe

Feel free to reach out if you have any questions.

Thank you,

This request has been added to the queue for review by the @reviewers team.

It seems there was already some discussion about this topic in the past. See Request to publish snap with `system-files` plug

+1 from me for (#voteFor) granting eUPF write access to /sys/fs/bpf/upf_pipeline via manual connection of the requested system-files interface

Given the previous topic linked above and the reasoning for this interface, +1 (#voteFor) from me as well

Voting period has ended. This request is approved with 2 votes for and 0 votes against.

Publisher is vetted. Request has been granted. This is now live.

Thank you very much for the review!

1 Like