Ensure that /snap/bin cannot be used for bind mounts

debian/usr.bin.snap-confine

@@ -120,8 +120,8 @@
     mount options=(rw bind) /snap/*/** -> /snap/*/**,
     mount options=(ro bind) /snap/*/** -> /snap/*/**,
     # But we don't want anyone to touch /snap/bin
-    deny audit mount /snap/bin/** -> /**,
-    deny audit mount /** -> /snap/bin/**,
+    audit deny mount /snap/bin/** -> /**,
+    audit deny mount /** -> /snap/bin/**,
 
     # nvidia handling, glob needs /usr/** and the launcher must be
     # able to bind mount the nvidia dir

spread-tests/mount-profiles-bin-snap-source/task.yaml

@@ -0,0 +1,23 @@
+summary: Check that apparmor profiles prevents bind mounting /snap/bin anywhere
+# This is blacklisted on debian because it relies on apparmor mount mediation
+systems: [-debian-8]
+prepare: |
+    echo "Having installed the snapd-hacker-toolbelt snap"
+    snap install snapd-hacker-toolbelt
+    echo "We can change its mount profile externally to create bind mount /snap/bin somewhere"
+    echo "/snap/bin -> /snap/snapd-hacker-toolbelt/mnt"
+    mkdir -p /var/lib/snapd/mount
+    echo "/snap/bin /snap/snapd-hacker-toolbelt/current/mnt none bind,ro 0 0" > /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
+    sysctl -w kernel.printk_ratelimit=0
+execute: |
+    cd /
+    echo "Let's clear the kernel ring buffer"
+    dmesg -c
+    echo "We can now run busybox true and expect it to fail"
+    ! /snap/bin/snapd-hacker-toolbelt.busybox true
+    echo "Not only the command failed because snap-confine failed, we see why!"
+    dmesg | grep 'apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/snap/snapd-hacker-toolbelt/[0-9]\+/mnt/" pid=[0-9]\+ comm="ubuntu-core-lau" srcname="/snap/bin/" flags="rw, bind"'
+restore: |
+    snap remove snapd-hacker-toolbelt
+    rm -rf /var/snap/snapd-hacker-toolbelt
+    rm -f /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab