@jdstrand Thanks for that. With those applied I now see a new denial:
May 3 16:01:09 skull kernel: [85683.018082] audit: type=1400 audit(1525359669.838:2417): apparmor="DENIED" operation="listen" profile="snap.ffmpeg.ffmpeg" pid=12034 comm="ffmpeg" family="unix" sock_type="seqpacket" protocol=0 requested_mask="listen" denied_mask="listen" addr="@637564612D75766D66642D343032363533313833362D313230333400"
So I change the last line of the AppArmor policy modification you provided to this:
unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*",
With the policy reloaded I now have a strictly confined ffmpeg that can offload video decoding and encoding to nvidia compute 