This is a review request to get this snap published.
The source code requires write access to the /sys/fs/bpf/upf_pipeline directory because it uses eBPF to route packets. Adding the system-files plug caused the release to fail because it is a super-privileged interface.
snapd already provides the system-trace interface to allow some bpf permissions - it feels like this should also be updated to include access to /sys/fs/bpf as well. @zyga thoughts?
I’m okay with read only access to /sys/fs/bpf but the reporter asked about write access to a specific file in the bpf file system. I think that should stay in system-files but the rest can go to system-trace.
The /sys/fs/bpf is used to store persistent bpf objects. The same app would read/write data there. There’s not much value in being able to read the location without writing to it. I’m ok with using system-files for the moment.
In the future it would be quite useful to have an eBPF plug that allows writing there among other things. I suspect I’m not the only one wanting to snap software that uses eBPF.
I agree that a an eBPF interface will be pretty useful here. However, in the mean time +1 from me to grant eUPF write access to /sys/fs/bpf/upf_pipeline via system-files
Please update the name of the interface to sys-fs-bpf-upf-pipeline accordingly to out naming convention
+1 from me as well for connect of this system-files interface given the lack of interface for this specific use case.
+2 votes for, 0 votes against, granting connect of interface system-files to snap eupf. I have vetted the publisher. Please let us know once the interface name is updated as per the comment from @jslarraz and we will go ahead and make the changes live.
@gruyaume - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks
