github.com/chipaca/snappy@v0.0.0-20210104084008-1f06296fe8ad/cmd/snap-confine/spread-tests/main/mount-profiles-bin-snap-destination/task.yaml

summary: Apparmor profile prevents bind-mounting to /snap/bin
# This is blacklisted on debian because it relies on apparmor mount mediation
systems: [-debian-8]
prepare: |
    echo "Having installed the snapd-hacker-toolbelt snap"
    snap install snapd-hacker-toolbelt
    echo "We can change its mount profile externally to create bind mount /snap/bin somewhere"
    echo "/snap/snapd-hacker-toolbelt/mnt -> /snap/bin"
    mkdir -p /var/lib/snapd/mount
    echo "/snap/snapd-hacker-toolbelt/current/mnt /snap/bin none bind,ro 0 0" > /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
execute: |
    cd /
    echo "Let's clear the kernel ring buffer"
    dmesg -c
    echo "We can now run busybox true and expect it to fail"
    orig_ratelimit=$(sysctl -n kernel.printk_ratelimit)
    sysctl -w kernel.printk_ratelimit=0
    not /snap/bin/snapd-hacker-toolbelt.busybox true
    sysctl -w kernel.printk_ratelimit=$orig_ratelimit
    echo "Not only the command failed because snap-confine failed, we see why!"
    dmesg --ctime | grep 'apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/snap/bin/" pid=[0-9]\+ comm="ubuntu-core-lau" srcname="/snap/snapd-hacker-toolbelt/[0-9]\+/mnt/" flags="rw, bind"'
restore: |
    snap remove --purge snapd-hacker-toolbelt
    rm -rf /var/snap/snapd-hacker-toolbelt
    rm -f /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
    dmesg -c