Comment 18 for bug 1674193

For completeness I booted into http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4.44/ (ie, the corresponding upstream kernel for the Ubuntu release I tested on):

$ cat /proc/version
Linux version 4.4.44-040444-generic (kernel@tangerine) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #201701200532 SMP Fri Jan 20 10:33:55 UTC 2017

$ sudo snap run --shell --hook=configure core # HANG

With the following denial:
Mar 24 11:06:35 sec-xenial-amd64 kernel: [ 2078.560962] audit: type=1326 audit(1490371595.703:29): auid=1000 uid=0 gid=0 ses=2 pid=1664 comm="snapctl" exe="/usr/bin/snapctl" sig=31 arch=c000003e syscall=49 compat=0 ip=0x564e89b2a294 code=0x0

Adding 'bind' to /var/lib/snapd/seccomp/profiles/snap.core.hook.configure allows it to work:
$ sudo snap run --shell --hook=configure core # NO HANG
...
$

Note: I didn't have to fiddle with apparmor for this because the upstream kernel does not have the network compat patches, therefore apparmor doesn't mediate the problematic 'network inet6' rule described in comment #16, so the access is allowed and snapctl proceeds to use bind().