Problem #3, the final problem, is due to a missing AppArmor rule needed when the following PR was merged:
https://github.com/snapcore/snap-confine/pull/145 After fixing the squashfuse mounts, as mentioned in comment #3, and dropping the "owner" conditional, as mentioned in comment #4 (be sure to reload the AppArmor profile after that), we see the following: root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env' cannot change apparmor hat of the support process for mount namespace capture. errmsg: Permission denied support process for mount namespace capture exited abnormally This AppArmor denial is logged: [14428.623321] audit: type=1400 audit(1475715521.677:546): apparmor="DENIED" operation="open" namespace="root//lxd-yakkety_<var- lib-lxd>" profile="/usr/lib/snapd/snap-confine" name="/proc/977/attr/current" pid=908 comm="ubuntu-core-lau" requested_mask="w" denied_mask="w" fsuid=296608 ouid=0 That PR resulted in the following call chain: main() -> sc_main() -> sc_create_or_join_ns_group() -> aa_change_hat() aa_change_hat() must write to /proc/PID/attr/current but that PR didn't add a rule to allow that file access. Adding the '@{PROC}/[0-9]*/attr/current w,' rule and reloading the profile allows us to run the hello-world.env snap command as a regular user inside of an unprivileged user namespace: root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env' XDG_SESSION_ID=c13 ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New ** Also affects: snap-confine (Ubuntu) Importance: Undecided Status: New ** Changed in: snap-confine (Ubuntu) Importance: Undecided => High ** Changed in: snapd (Ubuntu) Importance: Undecided => High ** Changed in: snap-confine (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630789 Title: normal users can't run snaps inside of LXD containers To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1630789/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
