I’m working on a Snap which requires edits to its AppArmor profile. We already figured out how to make edits to the profile.
However, the process of finding out how to make edits to the profile is tedious. There are already tools
like aa-logprof which can offer edits to profiles after scanning logs.
According to Canonical, these tools aren’t snappy-aware, so they shouldn’t be used. However, they reference an old wiki. I’d be surprised if nobody has been able to adapt tools like aa-logprof to debug Snaps.
Is there a way to make this happen? It would greatly speed up our development process.
While not answering your question, I think the snapd developers and @jdstrand specifically might be interested to understand your requirements and why the available interfaces are insufficient to the degree that you are trying to alter the apparmor profiles.
The design of snapd is such that snapd manages the security policy for snaps and it will overwrite changes to, for example, the apparmor profile at various time. As such, aa-logprof integration with the snapd profile location has not been pursued.
As @ijohnson mentioned, snappy-debug is a tool you can use when developing snaps and it will make various suggestions to you. If your needs are beyond that (eg, you are considering making a patch to snapd), you can always edit the policy by hand (and load it into the kernel) manually, with the understanding that a snap refresh or other operations will undo your change.