Add custom AppArmor rules to snap?

Solution 1:

In 16.04 the way to do this is with an 'interface' defined in the snapd code, that is driven by a custom schema in your snap definition. There are a bunch already defined, and it looks like all you need are:

  • a raw disk interface (iirc someone else wants that too)
  • a raw ethernet interface

You're unlikely to get a blanket /sys/devices/* landed, but I suspect you actually need specific types of access to specific types of devices, and those can all be designed and landed.

The best place to hash out what you need is in #snappy on freenode IRC, chat with zyga for pointers to code describing existing interfaces. Should be a simple patch to work up.