The requirements are understood: this snap needs read access to all directories on the system and access to hostfs. Interestingly, I suspect the snap would work in strict mode with the following added to the apparmor policy:
and then running
tre /var/lib/snapd/hostfs (I personally tested this by using ‘tree’ under confinement). @dduan, as a test (ie, don’t upload to the store), can you modify your snap to use strict confinement then update /var/lib/snapd/apparmor/profiles/snap.tre.tre (or similar) to add before the final ‘}’:
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.tre.tre to load the policy into the kernel, then test your snap to see if it is fully functional (please note that ‘/’ is the root of the runtime of your snap and ‘/var/lib/snapd/hostfs’ is the root of the classic system.
If it works, that might be something we can add for strict mode snaps.