Snap that exposes a Unix socket but shouldn't use `network-bind`

We have a snap that exposes a gRPC server over a Unix socket so other snaps can call it. We provide this API through a content interface like the content interface doc talks about. However, just using this interface is not enough - it fails to bind. We don’t want to use network-bind interface for this because this implies that the snap could expose something on an ethernet interface - which we don’t want to do from a mandatory access control policy point of view.

Is there a better interface that just allows bind? If not, should one be added? Or perhaps a specific unix socket interface that is like a content interface but adds binding?

Actually, this particular service is not a gRPC server but a REST server over a unix socket. Weirdly, it doesn’t look like we needed the network-bind interface for gRPC :thinking:.

1 Like