apparmor issue when running snap with ip netns exec

snap --version
snap 2.36~pre2+git971.73ec9b5~ubuntu16.04.1
snapd 2.36~pre2+git971.73ec9b5~ubuntu16.04.1
series 16
neon 18.04
kernel 4.15.0-36-generic

sudo ip netns exec novpn sudo -u michaelc skype
execv failed: Permission denied

[341356.450087] audit: type=1400 audit(1540377562.655:4328): apparmor="DENIED" operation="exec" profile="/snap/core/5789/usr/lib/snapd/snap-confine" name="/snap/core/5789/usr/lib/snapd/snap-exec" pid=30503 comm="snap-confine" requested_mask="x" denied_mask="x" fsuid=1098200003 ouid=0

# Author: Jamie Strandboge <email address hidden>
#include <tunables/global>

/snap/core/5789/usr/lib/snapd/snap-confine (attach_disconnected) {
    # Include any additional files that snapd chose to generate.
    # - for $HOME on NFS
    # - for $HOME on encrypted media
    #
    # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
    # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
    #include "/var/lib/snapd/apparmor/snap-confine"

    # We run privileged, so be fanatical about what we include and don't use
    # any abstractions
    /etc/ld.so.cache r,
    /etc/ld.so.preload r,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
    # libc, you are funny
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
    # normal libs in order
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,

    /snap/core/5789/usr/lib/snapd/snap-confine mr,

    /dev/null rw,
    /dev/full rw,
    /dev/zero rw,
    /dev/random r,
    /dev/urandom r,
    /dev/pts/[0-9]* rw,
    /dev/tty rw,

    # cgroup: devices
    capability sys_admin,
    capability dac_read_search,
    capability dac_override,
    /sys/fs/cgroup/devices/snap{,py}.*/ w,
    /sys/fs/cgroup/devices/snap{,py}.*/tasks w,
    /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,

    # cgroup: freezer
    # Allow creating per-snap cgroup freezers and adding snap command (task)
    # invocations to the freezer. This allows for reliably enumerating all
    # running tasks for the snap. In addition, allow enumerating processes in
    # the cgroup to determine if it is occupied.
    /sys/fs/cgroup/freezer/ r,
    /sys/fs/cgroup/freezer/snap.*/ w,
    /sys/fs/cgroup/freezer/snap.*/tasks w,
    /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,

    # querying udev
    /etc/udev/udev.conf r,
    /sys/**/uevent r,
    /usr/lib/snapd/snap-device-helper ixr, # drop
    /{,usr/}lib/udev/snappy-app-dev ixr, # drop
    /run/udev/** rw,
    /{,usr/}bin/tr ixr,
    /usr/lib/locale/** r,
    /usr/lib/@{multiarch}/gconv/gconv-modules r,
    /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,

    # priv dropping
    capability setuid,
    capability setgid,

    # changing profile
    @{PROC}/[0-9]*/attr/exec w,
    # Reading current profile
    @{PROC}/[0-9]*/attr/current r,
    # Reading available filesystems
    @{PROC}/filesystems r,

    # To find where apparmor is mounted
    @{PROC}/[0-9]*/mounts r,
    # To find if apparmor is enabled
    /sys/module/apparmor/parameters/enabled r,

    # Don't allow changing profile to unconfined or profiles that start with
    # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
    # the environment for determining the capabilities of the architecture.
    # 'unsafe' is ok here because the kernel will have already cleared the
    # environment as part of launching snap-confine with
    # CAP_SYS_ADMIN.
    change_profile unsafe /** -> [^u/]**,
    change_profile unsafe /** -> u[^n]**,
    change_profile unsafe /** -> un[^c]**,
    change_profile unsafe /** -> unc[^o]**,
    change_profile unsafe /** -> unco[^n]**,
    change_profile unsafe /** -> uncon[^f]**,
    change_profile unsafe /** -> unconf[^i]**,
    change_profile unsafe /** -> unconfi[^n]**,
    change_profile unsafe /** -> unconfin[^e]**,
    change_profile unsafe /** -> unconfine[^d]**,
    change_profile unsafe /** -> unconfined?**,

    # allow changing to a few not caught above
    change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},

    # LP: #1446794 - when this bug is fixed, change the above to:
    # deny change_profile unsafe /** -> {unconfined,/**},
    # change_profile unsafe /** -> **,

    # reading seccomp filters
    /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,

    # ensuring correct permissions in sc_quirk_create_writable_mimic
    /{tmp/snap.rootfs_*/,}var/lib/ rw,

    # LP: #1668659
    mount options=(rw rbind) /snap/ -> /snap/,
    mount options=(rw rshared) -> /snap/,

    # boostrapping the mount namespace
    mount options=(rw rshared) -> /,
    mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
    mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
    # the next line is for classic system
    mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/,
    # the next line is for core system
    mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
    # all of the constructed rootfs is a rslave
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
    # bidirectional mounts (for both classic and core)
    # NOTE: this doesn't capture the MERGED_USR configuration option so that
    # when a distro with merged /usr and / that uses apparmor shows up it
    # should be handled here.
    /{,run/}media/ w,
    mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
    /run/netns/ w,
    mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
    # unidirectional mounts (only for classic system)
    mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,

    mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,

    mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,

    mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,

    mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,

    mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,

    mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,

    mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,

    mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,

    mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,

    mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,

    mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,

    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,

    mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,

    mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,

    mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,

    # allow making host snap-exec available inside base snaps
    mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    # allow making re-execed host snap-exec available inside base snaps
    mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    # allow making snapd snap tools available inside base snaps
    mount options=(ro bind) /snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,

    # /etc/alternatives (classic)
    mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    # /etc/alternatives (core)
    mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    # the /snap directory
    mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
    # pivot_root preparation and execution
    mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
    mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
    # pivot_root mediation in AppArmor is not complete. See LP: #1791711
    pivot_root,
    # cleanup
    umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
    umount /var/lib/snapd/hostfs/sys/,
    umount /var/lib/snapd/hostfs/dev/,
    umount /var/lib/snapd/hostfs/proc/,
    mount options=(rw rslave) -> /var/lib/snapd/hostfs/,

    # set up user mount namespace
    mount options=(rslave) -> /,

    # Allow reading the os-release file (possibly a symlink to /usr/lib).
    /{etc/,usr/lib/}os-release r,

    # set up snap-specific private /tmp dir
    capability chown,
    /tmp/ w,
    /tmp/snap.*/ w,
    /tmp/snap.*/tmp/ w,
    mount options=(rw private) -> /tmp/,
    mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
    mount fstype=devpts options=(rw) devpts -> /dev/pts/,
    mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
    mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
    # Workaround for LP: #1584456 on older kernels that mistakenly think
    # /dev/pts/ptmx needs a trailing '/'
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,

    # for running snaps on classic
    /snap/ r,
    /snap/** r,
    /snap/ r,
    /snap/** r,

    # NOTE: at this stage the /snap directory is stable as we have called
    # pivot_root already.

    # nvidia handling, glob needs /usr/** and the launcher must be
    # able to bind mount the nvidia dir
    /sys/module/nvidia/version r,
    /sys/**/drivers/nvidia{,_*}/* r,
    /sys/**/nvidia*/uevent r,
    /sys/module/nvidia{,_*}/* r,
    /dev/nvidia[0-9]* r,
    /dev/nvidiactl r,
    /dev/nvidia-uvm r,
    /usr/** r,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,

    # Vulkan support
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,

    # GLVND EGL vendor
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,

    # create gl dirs as needed
    /tmp/snap.rootfs_*/ r,
    /tmp/snap.rootfs_*/var/ r,
    /tmp/snap.rootfs_*/var/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,

    # for chroot on steroids, we use pivot_root as a better chroot that makes
    # apparmor rules behave the same on classic and outside of classic.

    # for creating the user data directories: ~/snap, ~/snap/<name> and
    # ~/snap/<name>/<version>
    / r,
    @{HOMEDIRS}/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    @{HOME}/ r,
    @{HOME}/snap/{,*/,*/*/} rw,

    # for creating the user shared memory directories
    /{dev,run}/{,shm/} r,
    # This should both have 'owner' match but due to LP: #1466234, we can't yet
    /{dev,run}/shm/{,*/,*/*/} rw,

    # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
    # /run/user/UID/<name>
    /run/user/{,[0-9]*/,[0-9]*/*/} rw,

    # Workaround https://launchpad.net/bugs/359338 until upstream handles
    # stacked filesystems generally.
    # encrypted ~/.Private and old-style encrypted $HOME
    @{HOME}/.Private/ r,
    @{HOME}/.Private/** mrixwlk,
    # new-style encrypted $HOME
    @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

    # Allow snap-confine to move to the void
    /var/lib/snapd/void/ r,

    # Allow snap-confine to read snap contexts
    /var/lib/snapd/context/snap.* r,

    # Allow snap-confine to unmount stale mount namespaces.
    umount /run/snapd/ns/*.mnt,
    # Required to correctly unmount bound mount namespace.
    # See LP: #1735459 for details.
    umount /,

    # Support for the quirk system
    /var/ r,
    /var/lib/ r,
    /var/lib/** rw,
    /tmp/ r,
    /tmp/snapd.quirks_*/ rw,
    mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/,
    mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
    mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**,
    umount /var/lib/snapd/,
    mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/,
    # On classic systems with a setuid root snap-confine when run by non-root
    # user, the mimic_dir is created with the gid of the calling user (ie,
    # not '0') so when setting the permissions (chmod) of the mimicked
    # directory to that of the reference directory, a CAP_FSETID is triggered.
    # snap-confine sets the directory up correctly, so simply silence the
    # denial since we don't want to grant the capability as a whole to
    # snap-confine.
    deny capability fsetid,

    # support for the LXD quirk
    mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/,
    /var/lib/lxd/ w,
    /var/lib/snapd/hostfs/var/lib/lxd r,

    # support for locking
    /run/snapd/lock/ rw,
    /run/snapd/lock/*.lock rwk,

    # support for the mount namespace sharing
    capability sys_ptrace,
    # allow snap-confine to read /proc/1/ns/mnt
    ptrace read peer=unconfined,
    # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
    ptrace trace peer=unconfined,

    mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
    mount options=(private) -> /run/snapd/ns/,
    / rw,
    /run/ rw,
    /run/snapd/ rw,
    /run/snapd/ns/ rw,
    /run/snapd/ns/*.lock rwk,
    /run/snapd/ns/*.mnt rw,
    ptrace (read, readby, tracedby) peer=/snap/core/5789/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    @{PROC}/*/mountinfo r,
    capability sys_chroot,
    capability sys_admin,
    signal (send, receive) set=(abrt) peer=/snap/core/5789/usr/lib/snapd/snap-confine,
    signal (send) set=(int) peer=/snap/core/5789/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    signal (send, receive) set=(int, alrm, exists) peer=/snap/core/5789/usr/lib/snapd/snap-confine,
    signal (receive) set=(exists) peer=/snap/core/5789/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,

    # workaround for linux 4.13/upstream, see
    # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
    ptrace (trace, tracedby) peer=/snap/core/5789/usr/lib/snapd/snap-confine,

    # For aa_change_hat() to go into ^mount-namespace-capture-helper
    @{PROC}/[0-9]*/attr/current w,

    ^mount-namespace-capture-helper (attach_disconnected) {
        # We run privileged, so be fanatical about what we include and don't use
        # any abstractions
        /etc/ld.so.cache r,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
        # libc, you are funny
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
        # normal libs in order
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,

        /snap/core/5789/usr/lib/snapd/snap-confine mr,

        /dev/null rw,
        /dev/full rw,
        /dev/zero rw,
        /dev/random r,
        /dev/urandom r,

        capability sys_ptrace,
        capability sys_admin,
        # This allows us to read and bind mount the namespace file
        / r,
        @{PROC}/ r,
        @{PROC}/*/ r,
        @{PROC}/*/ns/ r,
        @{PROC}/*/ns/mnt r,
        /run/ r,
        /run/snapd/ r,
        /run/snapd/ns/ r,
        /run/snapd/ns/*.mnt rw,
        # NOTE: the source name is / even though we map /proc/123/ns/mnt
        mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
        # This is the SIGALRM that we send and receive if a timeout expires
        signal (send, receive) set=(alrm) peer=/snap/core/5789/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        # Those two rules are exactly the same but we don't know if the parent process is still alive
        # and hence has the appropriate label or is already dead and hence has no label.
        signal (send) set=(exists) peer=/snap/core/5789/usr/lib/snapd/snap-confine,
        signal (send) set=(exists) peer=unconfined,
        # This is so that we can abort
        signal (send, receive) set=(abrt) peer=/snap/core/5789/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        # This is the signal we get if snap-confine dies (we subscribe to it with prctl)
        signal (receive) set=(int) peer=/snap/core/5789/usr/lib/snapd/snap-confine,
        # This allows snap-confine to be killed from the outside.
        signal (receive) peer=unconfined,
        # This allows snap-confine to wait for us
        ptrace (read, trace, tracedby) peer=/snap/core/5789/usr/lib/snapd/snap-confine,
    }

    # Allow snap-confine to be killed
    signal (receive) peer=unconfined,

    # Allow switching to snap-update-ns with a per-snap profile.
    change_profile -> snap-update-ns.*,

    # Allow executing snap-update-ns when...

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the distribution package. This is also the location used when using
    # the core/base snap on all-snap systems. The variants here represent
    # various locations of libexecdir across distributions.
    /usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ...snap-confine is not, conceptually, re-executing and uses
    # snap-update-ns from the distribution package but we are already inside
    # the constructed mount namespace so we must traverse "hostfs". The
    # variants here represent various locations of libexecdir across
    # distributions.
    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core snap. Note that the location of the core snap varies from
    # distribution to distribution. The variants here represent different
    # locations of snap mount directory across distributions.
    /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core snap but we are already inside the constructed mount
    # namespace. Here the apparmor kernel module re-constructs the path to
    # snap-update-ns using the "hostfs" mount entry rather than the more
    # "natural" /snap mount entry but we have no control over that. This is
    # reported as (LP: #1716339). The variants here represent different
    # locations of snap mount directory across distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
}