ogra, if we set up the 5% for e.g. group snapdaemon, start snapd with the snapdaemon group in supplementary groups, and be very careful to drop the snapdaemon group before installing, unpacking, running anything, etc., we might be able to use the magic group correctly. It'd be fiddly to ensure the group never 'leaks' to any less-privileged systems.
ogra, if we set up the 5% for e.g. group snapdaemon, start snapd with the snapdaemon group in supplementary groups, and be very careful to drop the snapdaemon group before installing, unpacking, running anything, etc., we might be able to use the magic group correctly. It'd be fiddly to ensure the group never 'leaks' to any less-privileged systems.
Thanks