That is fine for a test case, but snap-confine will almost certainly need to be adjusted to run as setgid, so please don’t commit the packaging changes without a security review.
Good teamwork guys. High fives all around!
I pushed a patch on top of the regression test that mvo made earlier. https://github.com/snapcore/snapd/pull/4230/commits/7722c0404b97fa0ac119acb495caa62c3f5ab321
With this patch testing is green for me locally (in qemu running ubuntu 16.04). I pushed it to see if there’s anything surprising on other OSes.
The fix is ready in the 2.29.4 release, however the upload is blocked because the permissions of snap-confine changed: https://launchpad.net/~snappy-dev/+snap/core/+build/108281 - so this needs to be whitelisted and/or approved from the store before this can enter into beta.
It is staged for production but not available yet. In the meantime we are doing manual approvals.