The default policy already allows:
# enforce pid_t is 0 so the app may only change its own scheduler and affinity.
# Use process-control interface for controlling other pids.
sched_setaffinity 0 - -
sched_setparam 0 -
which is correct for the default policy.
@alexmurray’s analysis shows that the snap is trying to sched_setaffinity on a different process (pid 2226), which is what process-control is for. Note, that the syscall filter does not kill processes and so the application is free to proceed with sched_setaffinity failing if that makes sense for the application. To avoid process-control, the application may be able to be adjusted to use sched_setaffinity(0, ...).
This appears to be a bug in dotnet: https://github.com/dotnet/runtime/issues/1634 so I’ve added a comment to that bug for this topic.
The mount-observe denials are often just noise, so may be non-fatal.