I don't think we have such a capability right now in snapd. If you locally modify the snap-confine profile, it will be rewritten on at least core refreshes (and reboots as well if I'm not mistaken), so it sounds like we need some mechanism to specify additional rules to be included in the snap-confine profile.
** Changed in: snapd (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1571531 Title: cupsd cause apparmor denials for /etc/ld.so.preload Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: Triaged Bug description: There is a constant flood of messages in dmesg: [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: cups-daemon 2.1.3-4 ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6 Uname: Linux 4.4.0-18-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 CupsErrorLog: CurrentDesktop: X-Cinnamon Date: Mon Apr 18 10:56:37 2016 EcryptfsInUse: Yes InstallationDate: Installed on 2013-07-19 (1003 days ago) InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1) Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100 MachineType: LENOVO 4298R86 Papersize: a4 PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: /etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro SourcePackage: cups UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago) dmi.bios.date: 12/01/2011 dmi.bios.vendor: LENOVO dmi.bios.version: 8DET56WW (1.26 ) dmi.board.asset.tag: Not Available dmi.board.name: 4298R86 dmi.board.vendor: LENOVO dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.name: 4298R86 dmi.product.version: ThinkPad X220 Tablet dmi.sys.vendor: LENOVO modified.conffile..etc.default.cups: # Cups configure options # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf # LOAD_LP_MODULE=yes mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp