snap: ensure security polices are re-created

[mvo5]

Based on #3438
For easy review: mvo5/snappy@1dfa2ee

Wait in `snap run` for snapd to finish activating

Our snapd uses the systemd notify protocol and will only finish
initialization when all security profiles have been re-generated.

This allows us to check in `snap run` if snapd is still activating
and if so to wait a little bit. This will wait for a maximum of
5s after that the old profiles will be used. Note that systemd
itself will give up after ~100 seconds so the worst case is that
snapd fails to start on boot. In this case all snaps will start
with a delay of 5 seconds in the first 100 seconds. After that
things will be "normal" (except that the old security profiles
will be used).

[codecov-io]

Codecov Report

Merging #3442 into master will decrease coverage by 0.01%.
The diff coverage is 46.15%.

@@            Coverage Diff             @@
##           master    #3442      +/-   ##
==========================================
- Coverage   77.23%   77.22%   -0.02%     
==========================================
  Files         373      373              
  Lines       25645    25658      +13     
==========================================
+ Hits        19808    19815       +7     
- Misses       4087     4090       +3     
- Partials     1750     1753       +3

Impacted Files	Coverage Δ
cmd/snap/cmd_run.go	63.31% <46.15%> (-1.2%)	⬇️
interfaces/sorting.go	96.66% <0%> (+3.33%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d538109...0a04269. Read the comment docs.

[jdstrand]

Note that 5 seconds is not very long on armhf. Touch profiles could take as long as 1 second to load each, so a system with many profiles on armhf could fallback to old profiles pretty regularly, depending on when the systemd unit started.

[jdstrand]

In addition to not being supported on 14.04, it occurred to me that performing a DBus call in snap run is overhead we could avoid with a stamp file. I'm not sure if this fits all the properties you are looking for, but if instead of this DBus call snap run checks for the existence of a file (eg /run/snapd/something-appropriate) and waits on that, this would be a cheap check that would also work on 14.04. This stamp file would be created after profile generation finished and it could be removed on 'stop' so that 'snap run' during a core snap refresh would cause snap run to wait.

[mvo5]

Closing for now, this needs some more work after the latest forum discussions