I took a look at this and interestingly, the 18.04 kernel is using 4.13 with overlayfs, not aufs and as we know, AppArmor and overlayfs have not historically played well together. However newer kernel release (ie, in 4.13) have changes to how overlayfs handles lowerdir, and while things are not completely transparent when used with AppArmor, we don’t have to do much to get it to work. I’ll be preparing a PR for this next week.
While this is good news, @willcooke and @seb128 please set aside some time for your team to thoroughly test this after it lands (I only poked around with
hello-world.sh (basic file accesses), chromium (big snap with complicated accesses) and gedit (consumes the content interface); it all worked fine with some small policy tweaks).