Picosnitch is a per-exectuable bandwidth monitor, which uses BPF, and hashes every executable in order to uniquely identify them (useful for systems with multiple versions, containers, etc). After each executable is hashed, it is marked with fanotify so that it can check whether or not it needs to be hashed again the next time the executable is seen.
As far as I know, it does not currently seem possible to get fanotify_init() to work with strict confinement, but it does work with classic. This may not be the only reason it requires classic, but I stopped trying to get the rest of it to work with strict when I realized it may not be possible anyways due to fanotify.
I think in this instance there is no quick solution, but for your application to work as a confined snap you will need to work with members of the snap community and the snapd project to see what specific amendments might need to be made to an existing interface, or even the creation of a new interface, to allow for the fanotify_init() and other functionality you need.
Thanks for looking at it, and confirming that there is no interface I was missing which would allow for fanotify.
I saw that list and was hoping it might be possible to get an exception under:
access to resources not yet supported by snapd and where the requirement is clearly understood to be supportable by snapd. This may result in temporarily granting classic until snapd supports the use case in strict mode
I would prefer it as well if it was possible to work under strict confinement, since as far as I know classic snaps don’t work on Ubuntu Core, which would probably include the upcoming Ubuntu Core as an immutable Linux Desktop base?
If I were to create a feature request for fanotify support, I assume the best place to do that would be here?
We would also prefer picosnitch to work under strict confinement. Rather than launchpad, I think the best starting point for getting a new interface created would be in the snapd category of the forum here. The snapd github repo is also a good place to start learning how interfaces are written.
I created a version of picosnitch where fanotify is optional, and commented out some other small (but likely fixable) issues but found one other show stopper like I suspected.
With snappy-debug I get:
= AppArmor =
Time: Sep 30 14:09:40
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.picosnitch.picosnitch" pid=940220 comm="python3" capability=39 capname="bpf"
Capability: bpf
Suggestions:
* adjust program to not require 'CAP_BPF' (see 'man 7 capabilities')
* do nothing if program otherwise works properly
It looks like this will be too much trouble to get working, so I’m planning to just leave it at that for now. I may try again with a future version of snapd, or help a bit with the picosnitch side of things if someone else comes along and wants to get this working.
