Hmm, curiously, this is in /etc/apparmor.d/snap.core.4938.usr.lib.snapd.snap-confine:
# support for the mount namespace sharing
# allow snap-confine to read /proc/1/ns/mnt
ptrace trace peer=unconfined,
It seems 4.18 changed the check from ‘trace’ to ‘read’. @zyga, we could adjust to have:
ptrace trace peer=unconfined, # 4.17 and earlier
ptrace read peer=unconfined, # 4.18 and later
though @zyga, a much better fix would be to have only the ‘ptrace read’ rule in the profile and conditionally add the ‘ptrace trace’ if on kernel <=4.17. The trace rule is really powerful and it would be good to avoid it if possible. We should be able to do this based on the #include mechanisms we use for nfs and overlay.
@MartinTheWanderer, as a workaround, you can add to the
/etc/apparmor.d/*snap-confine* files (on a line before the final ‘}’ at the end of the file):
ptrace read peer=unconfined,
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*. You will need to redo this when the core snap refreshes until the proper fix is included.