Add strict confinement to snap

[gruyaume]

Description

Add strict confinement to the snap. This may require patching the upstream project and/or involving the snap team.

Background

At the moment, the snap can't be strictly confined because bess requires the CAP_NET_ADMIN capability. Multiple plugs have been tested out to make this work without success.

logs

From journalctl:

Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: I0201 12:52:11.049211 2136363 dpdk.cc:169] Initializing DPDK EAL with options: ["bessd", "--main-lcore", "127", "--lcore", "127@0-11", "--no-shconf", "--legacy-mem", "--no-huge", "-m", "512"]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected 12 lcore(s)
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected 1 NUMA nodes
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected static linkage of DPDK
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Failed to create thread for interrupt handling
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: FATAL: Cannot init interrupt-handling thread
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Cannot init interrupt-handling thread
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: F0201 12:52:11.051115 2136363 dpdk.cc:172] rte_eal_init() failed: ret = -1 rte_errno = 1 (Operation not permitted)
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: *** Check failure stack trace: ***
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: F0201 12:52:11.059525 2136363 debug.cc:407] Backtrace (recent calls first) ---
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x8cc582) [0x55b07fc21582]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x73) [0x55b07fc21773]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x3a) [0x55b07fc1a61a]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x238) [0x55b07f9c1a98]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (4): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf2) [0x7fbd61c89082]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (5): /snap/sdcore-upf/x1/bin/bessd(_start+0x2d) [0x55b07fc17efd]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: *** Check failure stack trace: ***

From snappy-debug:

= AppArmor =
Time: 2024-02-01T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=2134867 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)

[gruyaume]

In addition to figuring out the issue outlined above, we will also need the following plugs:

plugs:
  var-run:
    interface: system-files
    write:
    - /var/run/bessd.pid
    - /run/bessd.pid

apps:
  bessd:
    daemon: simple
    install-mode: disable
    command: bin/bessd-start
    plugs:
      - var-run
      - io-ports-control
      - network-control