diff -Nru snap-confine-1.0.42/debian/patches/lp1630789.patch snap-confine-1.0.43/debian/patches/lp1630789.patch
--- snap-confine-1.0.42/debian/patches/lp1630789.patch	1970-01-01 00:00:00.000000000 +0000
+++ snap-confine-1.0.43/debian/patches/lp1630789.patch	2016-10-06 12:29:59.000000000 +0000
@@ -0,0 +1,38 @@
+commit 06a8c9d4f48aad9da80d506fb1d5002537d58b26
+Author: Jamie Strandboge <jamie@ubuntu.com>
+Date:   Thu Oct 6 14:03:46 2016 +0000
+
+    drop 'owner' check on mountinfo and allow write to @{PROC}/[0-9]*/attr/current
+
+    Due to a kernel bug, the ouid is not being set correctly for /proc accesses by
+    setuid processes running in user namespaces. While the kernel needs to be
+    fixed, drop the 'owner' match on @{PROC}/*/mountinfo for now.
+
+    Since we are using aa_change_hat(), snap-confine needs to be able to write to
+    @{PROC}/[0-9]*/attr/current.
+
+    Bug: https://launchpad.net/bugs/1630789
+
+Index: snap-confine-1.0.43/src/snap-confine.apparmor.in
+===================================================================
+--- snap-confine-1.0.43.orig/src/snap-confine.apparmor.in
++++ snap-confine-1.0.43/src/snap-confine.apparmor.in
+@@ -211,7 +211,7 @@
+     /run/snapd/ns/*.lock rwk,
+     /run/snapd/ns/*.mnt rw,
+     ptrace (tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper,
+-    owner @{PROC}/*/mountinfo r,
++    @{PROC}/*/mountinfo r,
+     capability sys_chroot,
+     capability sys_admin,
+     signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine,
+@@ -219,6 +219,9 @@
+     signal (send, receive) set=(alrm, exists) peer=@LIBEXECDIR@/snap-confine,
+     signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper,
+ 
++    # For aa_change_hat() to go into ^mount-namespace-capture-helper
++    @{PROC}/[0-9]*/attr/current w,
++
+     ^mount-namespace-capture-helper (attach_disconnected) {
+         # We run privileged, so be fanatical about what we include and don't use
+         # any abstractions