FYI, you can use snappy-debug to help on your journey to strict confinement. Eg in a separate terminal/ssh session:
$ sudo snap install snappy-debug
$ sudo snappy-debug.security scanlog
...
Then in another, exercise your snap:
$ sudo snap install --dangerous /path/to/snap
$ sudo snap connect ... # connect any interfaces you plug
See Security policy and sandboxing for details.
For example:
Log: auid=1000 uid=0 gid=0 ses=581 pid=25966 comm="renice" exe="/usr/bin/renice" sig=31 arch=40000028 97(setpriority) compat=0 ip=0xb6e8ac06 code=0x0
Syscall: setpriority
Suggestion:
* add one of 'browser-support, process-control' to 'plugs'
So as @ogra said, plug ‘process-control’ instead of ‘browser-support’.
Note to others who used scmp_sys_resolver, syscalls have different numbers on different architectures and you need to carefully look at ‘arch’ in the denial. For example, in the above arch=40000028 corresponds to arm (arch=c000003e is for amd64, arch=c00000b7 for arm64, etc). You have to be careful using scmp_sys_resolver on other architectures. Eg, on my amd64 host:
$ scmp_sys_resolver 97 # use whatever arch the host is
getrlimit
$ scmp_sys_resolver -a x86_64 97 # specify amd64
getrlimit
$ scmp_sys_resolver -a aarch64 97 # specify arm64
unshare
$ scmp_sys_resolver -a arm 97 # specify armhf
setpriority
(this is also discussed in Security policy and sandboxing).