Our software (VPN client) has Split-Tunnel functionality which allows splitting IP traffic for particular applications (some applications can be excluded from VPN tunnel).
I am wondering if there are any possibilities to have it working out from snap with strict confinement.
‘interfaces’ that are needed for the software:
- ability to control cgroup subfolder
/sys/fs/cgroup/net_cls/(mount subfolder and edit it’s content) - ability to read\write network interface rp_filter (
/proc/sys/net/ipv4/conf/${_interface_name}/rp_filter) - (important!) ability to run external binary out from user environment (to start and add it to cgroup)
- ability to list all installed applications in a system and read appropriate app icons (to show this info to the user out from the application UI).
According to specifications: https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html
This requires also the ability to read user environment variables:XDG_DATA_DIRS,XDG_CURRENT_DESKTOP,HOMEand read access to these directories. - ability to get info about running apps in user environment (read PID from
/proc/%d/stat)
I guess 1 and 2 can be covered by the network-control interface. Right?
What about the 3, 4 and 5?
Thanks in advance for any comments.
P.S. The approval-request topic related to our software: Manual review request for 'ivpn' package and auto-connect interfaces