Comment 51 for bug 1684481

Thank John,
as extra info on the ptmx pathing.

Host:
$ ls -laF /dev/ptmx /dev/pts/ptmx
crw-rw-rw- 1 root root 5, 2 Apr 21 2017 /dev/ptmx
c--------- 1 root root 5, 2 Apr 12 17:36 /dev/pts/ptmx

Container:
$ lxc exec testkvm-xenial-from -- ls -laF /dev/ptmx /dev/pts/ptmx
lrwxrwxrwx 1 root root 13 Apr 20 17:19 /dev/ptmx -> /dev/pts/ptmx
crw-rw-rw- 1 root root 5, 2 Apr 20 17:19 /dev/pts/ptmx

That plus your explanation on "mediation after symlink" explains why we see this.
In the non container case it is NOT a symlink, it will open /dev/ptmx and that is the path apparmor mediates and things work.
But in the container case it is a symlink, so it is resolved before mediation and the new path in /dev/pts/ptmx is blocked by the profile.

@Stephane - could/would lxd be able to do that in a way without the symlink but "as in the host"?