Publishing eUPF as a strictly confined snap - eBPF privilege

gruyaume · April 2, 2025, 1:08pm

Hello,

I am aiming to publish eUPF as a strictly confined snap. The upload failed because the system-files interface is a super-privileged interface and requires a store request. There it is.

name: eupf
description: Snap for eUPF, a 5G user plane function based on eBPF.
snapcraft: link to snapcraft.yaml if publicly available
upstream: link to the upstream repository if open-source or ‘PRIVATE’ otherwise
upstream-relation: No direct relation
interfaces:
- \system-files:
  - request-type: installation and connection
  - reasoning: This application is a 5G core network and uses eBPF to route packets. To do so, the app needs read and write permissions to the /sys/fs/bpf/upf_pipeline host path.

The snap also uses the following interfaces though I don’t think they require manual review:

network
network-bind
network-control
process-control
system-observe

Feel free to reach out if you have any questions.

Thank you,

store-requests-bot · April 2, 2025, 1:09pm

This request has been added to the queue for review by the @reviewers team.

jslarraz · April 3, 2025, 10:24am

It seems there was already some discussion about this topic in the past. See Request to publish snap with `system-files` plug

+1 from me for (#voteFor) granting eUPF write access to /sys/fs/bpf/upf_pipeline via manual connection of the requested system-files interface

cav · April 8, 2025, 4:28am

Given the previous topic linked above and the reasoning for this interface, +1 (#voteFor) from me as well

store-requests-bot · April 9, 2025, 12:16am

Voting period has ended. This request is approved with 2 votes for and 0 votes against.

cav · April 9, 2025, 12:52am

Publisher is vetted. Request has been granted. This is now live.

gruyaume · April 9, 2025, 11:16am

Thank you very much for the review!