snap: help needed to enable strict confinement
I'm working on making Epiphany available as a Snap. Right now, my Snap only runs in devmode since it doesn't work in the normal sandboxed strict confinement mode. When I try to run it in strict mode, I get these AppArmor denials in my systemd journal:
kernel: audit: type=1400 audit: apparmor="DENIED" operation="mknod" profile="snap.epiphany.epiphany"
name="/dev/shm/WK2SharedMemory.1582825031" pid=12647 comm="WebKitWebProces" requested_mask="c" denied_mask="c"
Is there any way we can disable that?
I think the idea is that Snap handles sandboxing itself and it's simpler and more reliable to disable the app's own sandboxing mechanisms.