diff -Nru snap-confine-1.0.42/debian/patches/lp1630789.patch snap-confine-1.0.43/debian/patches/lp1630789.patch
--- snap-confine-1.0.42/debian/patches/lp1630789.patch 1970-01-01 00:00:00.000000000 +0000
+++ snap-confine-1.0.43/debian/patches/lp1630789.patch 2016-10-06 12:29:59.000000000 +0000
@@ -0,0 +1,38 @@
+commit 06a8c9d4f48aad9da80d506fb1d5002537d58b26
+Author: Jamie Strandboge <jamie@ubuntu.com>
+Date: Thu Oct 6 14:03:46 2016 +0000
+
+ drop 'owner' check on mountinfo and allow write to @{PROC}/[0-9]*/attr/current
+
+ Due to a kernel bug, the ouid is not being set correctly for /proc accesses by
+ setuid processes running in user namespaces. While the kernel needs to be
+ fixed, drop the 'owner' match on @{PROC}/*/mountinfo for now.
+
+ Since we are using aa_change_hat(), snap-confine needs to be able to write to
+ @{PROC}/[0-9]*/attr/current.
+
+ Bug: https://launchpad.net/bugs/1630789
+
+Index: snap-confine-1.0.43/src/snap-confine.apparmor.in
+===================================================================
+--- snap-confine-1.0.43.orig/src/snap-confine.apparmor.in
++++ snap-confine-1.0.43/src/snap-confine.apparmor.in
+@@ -211,7 +211,7 @@
+ /run/snapd/ns/*.lock rwk,
+ /run/snapd/ns/*.mnt rw,
+ ptrace (tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper,
+- owner @{PROC}/*/mountinfo r,
++ @{PROC}/*/mountinfo r,
+ capability sys_chroot,
+ capability sys_admin,
+ signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine,
+@@ -219,6 +219,9 @@
+ signal (send, receive) set=(alrm, exists) peer=@LIBEXECDIR@/snap-confine,
+ signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper,
+
++ # For aa_change_hat() to go into ^mount-namespace-capture-helper
++ @{PROC}/[0-9]*/attr/current w,
++
+ ^mount-namespace-capture-helper (attach_disconnected) {
+ # We run privileged, so be fanatical about what we include and don't use
+ # any abstractions