Comment 11 for bug 1712808

Hmm, cgroup:rw has absolutely nothing to do with this.
LXD uses a cgroup namespace by default which completely ignores that particular setting.

With the cgroup namespace, root in the container is allowed to do anything it wants to the /sys/fs/cgroup tree.

root@disco:~# mkdir /sys/fs/cgroup/freezer/snap.blah
root@disco:~# chown 1000:1000 /sys/fs/cgroup/freezer/snap.blah

The error also quite clearly comes from udev rather than anything cgroup related:

root@disco:~# snap install hello-world
error: cannot perform the following tasks:
- Setup snap "core" (6531) security profiles (cannot setup udev for snap "core": cannot reload udev rules: exit status 2
udev output:
)
- Setup snap "core" (6531) security profiles (cannot reload udev rules: exit status 2
udev output:
)
root@disco:~# snap install hello-world
2019-03-27T20:18:56Z INFO Waiting for restart...
hello-world 6.3 from Canonical✓ installed
root@disco:~#