Unable to create AF_KEY socket

I’m currently porting over ike (Shrewsoft VPN Client) to the snap world but I’m hitting a wall due the daemon not being able to create an AF_KEY socket.

audit: type=1400 audit(1588669050.115:10914): apparmor="DENIED" operation="create" profile="snap.ike-qt-core18.iked" pid=12149 comm="iked" family="key" sock_type="raw" protocol=2 requested_mask="create" denied_mask="create"

Active plugs:
- network
- network-bind
- network-control
- netlink-connector

Is there an existing plug missing or does snapd need support for that in the first place?

Happening on:

snap    2.44.3
snapd   2.44.3
series  16
ubuntu  18.04
kernel  5.3.0-51-generic

Hmm, this is interesting because the default seccomp profile allows socket AF_KEY, but it appears that we are lacking equivalent AppArmor permissions for this. @jdstrand do you think support for this should be added to one of the existing network interfaces or maybe the default template for AppArmor?

No, omitting it from network was intentional. This needs to be in another interface. I’ve added it as a TODO to investigate in the next batches of policy updates.