Unable to use raw socket

I’m currently making a snap for this project: https://github.com/imsnif/bandwhich

It visualizes the amount of traffic used by applications by cross-referencing process names in /proc and the observing traffic passing through network interfaces.

I thought using the following plugs would be enough, but after changing the confinement to strict, AppArmor prevents it from opening a raw socket:

apps:
  bandwhich:
    command: bandwhich
    plugs:
      - network
      - network-bind
      - system-observe

= AppArmor =
Time: Jan 14 13:58:02
Log: apparmor="DENIED" operation="create" profile="snap.bandwhich-carroarmato0.bandwhich" pid=30386 comm="bandwhich" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create"

Any suggestions on how to deal with that?

The network-control interface allows using raw packet sockets, did you try declaring that interface in your snap and connecting it after installing the snap?

@ijohnson that unfortunately didn’t help, but I noticed that @popey has bumped into the issue a day later. (Possibly missing apparmor network permission)

At the moment the only way for me to run the snap is to build it using classic confinement and then launching it through sudo.

If you read through the rest of the messages on that forum post, it’s not the raw socket problem that blocks bandwhich from working it’s ptrace. If you (temporarily) add docker-support to your interfaces that the snap plugs, then it should work strictly with network-control as well.