Comment 5 for bug 1630789

Problem #3, the final problem, is due to a missing AppArmor rule needed when the following PR was merged:

  https://github.com/snapcore/snap-confine/pull/145

After fixing the squashfuse mounts, as mentioned in comment #3, and dropping the "owner" conditional, as mentioned in comment #4 (be sure to reload the AppArmor profile after that), we see the following:

root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
cannot change apparmor hat of the support process for mount namespace capture. errmsg: Permission denied
support process for mount namespace capture exited abnormally

This AppArmor denial is logged:

[14428.623321] audit: type=1400 audit(1475715521.677:546): apparmor="DENIED" operation="open" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/lib/snapd/snap-confine" name="/proc/977/attr/current" pid=908 comm="ubuntu-core-lau" requested_mask="w" denied_mask="w" fsuid=296608 ouid=0

That PR resulted in the following call chain:

  main() -> sc_main() -> sc_create_or_join_ns_group() -> aa_change_hat()

aa_change_hat() must write to /proc/PID/attr/current but that PR didn't add a rule to allow that file access.

Adding the '@{PROC}/[0-9]*/attr/current w,' rule and reloading the profile allows us to run the hello-world.env snap command as a regular user inside of an unprivileged user namespace:

root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
XDG_SESSION_ID=c13