Request to publish snap with `system-files` plug

Hello,

This is a review request to get this snap published.

The source code requires write access to the /sys/fs/bpf/upf_pipeline directory because it uses eBPF to route packets. Adding the system-files plug caused the release to fail because it is a super-privileged interface.

plugs:
  bpf: 
    interface: system-files
    read:
    - /sys/fs/bpf/upf_pipeline
    write:
    - /sys/fs/bpf/upf_pipeline

Usage

sudo snap install eupf
sudo snap connect eupf:network-control
sudo snap connect eupf:process-control
sudo snap connect eupf:bpf
sudo snap start eupf

Note

I’m fine with manual connection, this request is to get the snap published with the system-files plug.

Reference

snapd already provides the system-trace interface to allow some bpf permissions - it feels like this should also be updated to include access to /sys/fs/bpf as well. @zyga thoughts?

I’m okay with read only access to /sys/fs/bpf but the reporter asked about write access to a specific file in the bpf file system. I think that should stay in system-files but the rest can go to system-trace.

The /sys/fs/bpf is used to store persistent bpf objects. The same app would read/write data there. There’s not much value in being able to read the location without writing to it. I’m ok with using system-files for the moment.

In the future it would be quite useful to have an eBPF plug that allows writing there among other things. I suspect I’m not the only one wanting to snap software that uses eBPF.

References