@zyga-snapd, between this topic and Snapd vs upstream kernel vs apparmor I’m beginning to think we want to create a .d directory for snap-confine to #include so we can drop profile snippets in it. Eg:
- snap-confine profile has
#include </var/lib/snapd/apparmor/snap-confine.d> - snapd detects NFS /home (or we use the
snap config core set home-nfsidea), creates /var/lib/snapd/apparmor/snap-confine.d/home-nfs withnetwork inet, network inet6,and reloads the snap-confine profile - snapd adds
network inet, network inet6,to all generated snapd apparmor policy if detects NFS /home (or we use thesnap config core set home-nfsidea) - snapd is forcing devmode (eg, due to lack of apparmor requirements) and create /var/li/snapd/apparmor/snap-confine.d/apparmor-forced-devmode with
/usr/lib/snapd/snap-exec uxr,(for the other topic) and reloads the snap-confine profile
I think this problem is understood enough for someone to work on this.