After fixing the squashfuse mounts, as mentioned in comment #3, and dropping the "owner" conditional, as mentioned in comment #4 (be sure to reload the AppArmor profile after that), we see the following:
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
cannot change apparmor hat of the support process for mount namespace capture. errmsg: Permission denied
support process for mount namespace capture exited abnormally
aa_change_hat() must write to /proc/PID/attr/current but that PR didn't add a rule to allow that file access.
Adding the '@{PROC}/[0-9]*/attr/current w,' rule and reloading the profile allows us to run the hello-world.env snap command as a regular user inside of an unprivileged user namespace:
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
XDG_SESSION_ID=c13
Problem #3, the final problem, is due to a missing AppArmor rule needed when the following PR was merged:
https:/ /github. com/snapcore/ snap-confine/ pull/145
After fixing the squashfuse mounts, as mentioned in comment #3, and dropping the "owner" conditional, as mentioned in comment #4 (be sure to reload the AppArmor profile after that), we see the following:
root@yakkety:~# su - ubuntu -c '/snap/ bin/hello- world.env'
cannot change apparmor hat of the support process for mount namespace capture. errmsg: Permission denied
support process for mount namespace capture exited abnormally
This AppArmor denial is logged:
[14428.623321] audit: type=1400 audit(147571552 1.677:546) : apparmor="DENIED" operation="open" namespace= "root// lxd-yakkety_ <var-lib- lxd>" profile= "/usr/lib/ snapd/snap- confine" name="/ proc/977/ attr/current" pid=908 comm="ubuntu- core-lau" requested_mask="w" denied_mask="w" fsuid=296608 ouid=0
That PR resulted in the following call chain:
main() -> sc_main() -> sc_create_ or_join_ ns_group( ) -> aa_change_hat()
aa_change_hat() must write to /proc/PID/ attr/current but that PR didn't add a rule to allow that file access.
Adding the '@{PROC} /[0-9]* /attr/current w,' rule and reloading the profile allows us to run the hello-world.env snap command as a regular user inside of an unprivileged user namespace:
root@yakkety:~# su - ubuntu -c '/snap/ bin/hello- world.env'
XDG_SESSION_ID=c13