Comment 0 for bug 1615113

Using the new "content" interface, and following the integration tests as an example, I have build two snaps in https://github.com/ubuntu/snappy-playpen/tree/geany one under "geany" the other under "geany-plugins" that work together to share the plugin code with the geany app.

Both build, install, and connect just fine, but on trying to run /snap/bin/geany it immediately fails with the following message:

cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with options bind,ro. errmsg: Permission denied

Checking dmesg after this shows the following:

[335489.022097] audit: type=1400 audit(1471624994.323:302441): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau" srcname="/snap/geany-plugins/x1/" flags="rw, bind"

I belive this is due to the fact that my geany-plugins slot is sharing the root of it's content (/) instead of a file or folder by name. This makes the mount source /snap/geany-plugins/x1/ which is too short to match the apparmor allow line of /snap/*/*/**

To test this, I made the following change to /etc/apparmor.d/usr.lib.snapd.snap-confine
120,121c120,121
< mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
< mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
---
> mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
> mount options=(ro bind) /snap/*/** -> /snap/*/*/**,

This allowed the mount to happen and the application to run.