Question: `cgroup` management, list of installed apps, and run external binaries

Our software (VPN client) has Split-Tunnel functionality which allows splitting IP traffic for particular applications (some applications can be excluded from VPN tunnel).

I am wondering if there are any possibilities to have it working out from snap with strict confinement.

‘interfaces’ that are needed for the software:

  1. ability to control cgroup subfolder /sys/fs/cgroup/net_cls/ (mount subfolder and edit it’s content)
  2. ability to read\write network interface rp_filter (/proc/sys/net/ipv4/conf/${_interface_name}/rp_filter)
  3. (important!) ability to run external binary out from user environment (to start and add it to cgroup)
  4. ability to list all installed applications in a system and read appropriate app icons (to show this info to the user out from the application UI). According to specifications: https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html
    This requires also the ability to read user environment variables: XDG_DATA_DIRS, XDG_CURRENT_DESKTOP, HOME and read access to these directories.
  5. ability to get info about running apps in user environment (read PID from /proc/%d/stat)

I guess 1 and 2 can be covered by the network-control interface. Right?
What about the 3, 4 and 5?

Thanks in advance for any comments.

P.S. The approval-request topic related to our software: Manual review request for 'ivpn' package and auto-connect interfaces