interfaces/greengrass-support: adjust accesses now that have working snap

[jdstrand]

• don't use owner match with @{PROC}/[0-9]*/mountinfo
• use @{SNAP_REVISION} with pivot_root rule
• allow 'ro, remount, rbind' on / for pivot_root in overlay

[zyga]

Are you aware of the consequences of using pivot_root and how it makes most of our apparmor rules ineffective?

(Sorry for pulling this out now, I didn't notice this before)

[jdstrand]

greengrass is proprietary software and fails without this access. It relies upon various features to setup its own sandbox.

However, I'm aware of mediation issues regarding overlayfs and pivot root (in particular https://bugs.launchpad.net/apparmor/+bug/1703692), which is just one of many reasons why this interface is a 'super-privileged' interface, like docker-support and lxd-support (ie, you need a snap declaration to even install a snap that plugs this).

[zyga]

Ack, thank you, I just wanted to make sure this is well-known.

[codecov-io]

Codecov Report

Merging #3591 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master   #3591      +/-   ##
=========================================
- Coverage    74.9%   74.9%   -0.01%     
=========================================
  Files         380     380              
  Lines       32952   32952              
=========================================
- Hits        24684   24683       -1     
- Misses       6475    6476       +1     
  Partials     1793    1793

Impacted Files	Coverage Δ
interfaces/builtin/greengrass_support.go	100% <ø> (ø)	⬆️
interfaces/sorting.go	94.28% <0%> (-2.86%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1436db4...e4c8ca7. Read the comment docs.

[jdstrand]

Thanks!