Upon a bit of further investigation, it's interesting to note that btrfs snapshots preserve ownership (i.e. btrfsctl -S test / --> test is owned by root:root just like /)
So, one workaround is the policy invariant "Any directories where a confined process can write to should only be granted owner read permissions", though this is a pretty subpar workaround...
Even in a fairly restricted apparmor profile, as long as inherit-execute permissions are available to the btrfsctl binary,and write permissions exist to the snapshot destination, btrfs snapshotting will succeed. No further AA capabilities are required, which is a bit concerning.
Upon a bit of further investigation, it's interesting to note that btrfs snapshots preserve ownership (i.e. btrfsctl -S test / --> test is owned by root:root just like /)
So, one workaround is the policy invariant "Any directories where a confined process can write to should only be granted owner read permissions", though this is a pretty subpar workaround...
Even in a fairly restricted apparmor profile, as long as inherit-execute permissions are available to the btrfsctl binary,and write permissions exist to the snapshot destination, btrfs snapshotting will succeed. No further AA capabilities are required, which is a bit concerning.