When not OnClassic, there is no problem, right? You must reboot if the os snap is
refreshed and that give you everything. Prior to reboot, all the old stuff is still
used, right?
https://github.com/snapcore/snapd/compare/master...mvo5:feature/snap-confine-from-core#diff-0ffbc404d8a8e3aaeca8cd9d066c3d71R182
Unconditionally using snapConfinePathInCore seems problematic. Do we unconditionally
use everything else from core there? What about reverts?
https://github.com/snapcore/snapd/compare/master...mvo5:feature/snap-confine-from-core#diff-82a44be6f243493a55d2ee2fe6f0addfR564
Adding a comment above !release.OnClassic I think is wise. Eg:
// On all-snaps we always use the mounted snapd, snap-confine, apparmor, etc
// but on classic we use the snapd and snap-confine from the latest core snap.
// As such, nothing to do when not OnClassic
https://github.com/snapcore/snapd/compare/master...mvo5:feature/snap-confine-from-core#diff-82a44be6f243493a55d2ee2fe6f0addfR580
You can use the Debian profile, you just need to add two rules:
# Required when using unpatched upstream kernel
capability sys_ptrace,
# Debian compiles snap-confine without AppArmor, so allow running
# snaps unconfined
/usr/lib/snapd/snap-exec uxr,
https://github.com/snapcore/snapd/compare/master...mvo5:feature/snap-confine-from-core#diff-82a44be6f243493a55d2ee2fe6f0addfR587
Please add a comment:
// /etc/apparmor.d is read/write OnClassic