I’ve run into an issue with trying to confine nginx (and also squid) in a snap.
Nginx uses the glibc function initgroups(), which calls the syscall setgroups(), regardless of whether your processes gid is that group already.
So, even if I explicitly configure nginx to run as with uid and gid of 0, it ends up calling setgroups(1, ), which while it would be a no-op, as the process is already has a gid of 0, the process is still killed as it gets blocked by the seccomp blacklist.
Squid has a similar problem, but more complex, as it explicitly checks and disallows for running as root as well. The proxy user/group exist in the core snap, but we can’t switch to them as we hit seccomp blocking setgroups again.
I suspect other servers are likely to use glibc’s initgroups also.
Would it be possible to add seccomp filtering for setgroups? Maybe to allow it to use any gid that is defined in the core snap, like proxy, nogroup, etc?