github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/spread-tests/main/mount-profiles-bin-snap-source/task.yaml

summary: Apparmor profile prevents bind-mounting from /snap/bin
# This is blacklisted on debian because it relies on apparmor mount mediation
systems: [-debian-8]
prepare: |
    echo "Having installed the snapd-hacker-toolbelt snap"
    snap install snapd-hacker-toolbelt
    echo "We can change its mount profile externally to create bind mount /snap/bin somewhere"
    echo "/snap/bin -> /snap/snapd-hacker-toolbelt/mnt"
    mkdir -p /var/lib/snapd/mount
    echo "/snap/bin /snap/snapd-hacker-toolbelt/current/mnt none bind,ro 0 0" > /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
execute: |
    cd /
    echo "Let's clear the kernel ring buffer"
    dmesg -c
    echo "We can now run busybox true and expect it to fail"
    orig_ratelimit=$(sysctl -n kernel.printk_ratelimit)
    sysctl -w kernel.printk_ratelimit=0
    not /snap/bin/snapd-hacker-toolbelt.busybox true
    sysctl -w kernel.printk_ratelimit=$orig_ratelimit
    echo "Not only the command failed because snap-confine failed, we see why!"
    dmesg --ctime | grep 'apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/snap/snapd-hacker-toolbelt/[0-9]\+/mnt/" pid=[0-9]\+ comm="ubuntu-core-lau" srcname="/snap/bin/" flags="rw, bind"'
restore: |
    snap remove --purge snapd-hacker-toolbelt
    rm -rf /var/snap/snapd-hacker-toolbelt
    rm -f /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
    dmesg -c