Comment 2 for bug 1600136

"- I don't think apparmor can do this on the fly translations, right?"

No, the kernel LSM hooks (which apparmor uses) look at the files themselves.

Based on your explanation, it sounds like it is only the client side (ie, the snap) that needs to change and that it simply must tell the system shell what the icon uri is. As such, one idea would be to put the icons in ~/snap/$SNAP_NAME/... or in /run/shm/snap.$SNAP_NAME.<something> and then set the client uri appropriately.

Assuming that works it then becomes a matter of making this easy for developers. I'm not sure that 'no upstream changes' is the right attitude-- snappy is a new way of doing things and asking upstream to make reasonable changes shouldn't necessarily be avoided at all costs. That said, I think the preload idea of Gustavo's (see bug #1577514) could help with not needing client changes for the file write (but the uri the client reports to the shell needs to be corrected-- maybe the client libraries honor TMPDIR or some other env variable and you can set it to ~/snap/$SNAP_NAME/... or /run/shm/snap.$SNAP_NAME.<something> (and then you wouldn't even need the preload library)).