Comment 1 for bug 1666897

This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ cat /proc/version_signature
Ubuntu 4.4.0-62.83-generic 4.4.40

$ sudo snap install --jailmode --classic python0
python0 0.9.1 from 'zygoon' installed

$ python0
>>> ctrl-D # it worked

Now install the zesty kernel and reboot:

$ cat /proc/version_signature
Ubuntu 4.10.0-8.10-generic 4.10.0-rc8

$ python0
/snap/python0/2/usr/bin/python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object

with this denial:
apparmor="DENIED" operation="file_mmap" profile="snap.python0.python0" name="/snap/core/x1/lib/x86_64-linux-gnu/libm-2.23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.

Looking at the policy, we see this:

  # Read-only access to the core snap.
  @{INSTALL_DIR}/core/** r,

If we add this rule to classicJailmodeSnippet in interfaces/apparmor/template.go it works:

  @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m,

This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?