diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils-test.c snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils-test.c
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils-test.c	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils-test.c	2024-04-21 07:32:01.000000000 +0000
@@ -146,6 +146,13 @@
 	}
 }
 
+static void my_unlink(const char *path)
+{
+	if (unlink(path) != 0 && errno != ENOENT) {
+		die("cannot unlink: %s", path);
+	}
+}
+
 /**
  * Perform the rest of testing in a ephemeral directory.
  *
@@ -222,6 +229,37 @@
 	_test_sc_nonfatal_mkpath(dirname, subdirname);
 }
 
+static void test_sc_is_container__empty(void)
+{
+	g_test_in_ephemeral_dir();
+	g_test_queue_destroy((GDestroyNotify) my_unlink, "container");
+	g_assert_true(g_file_set_contents("container", "", -1, NULL));
+	g_assert_false(_sc_is_in_container("container"));
+}
+
+static void test_sc_is_container__lxc(void)
+{
+	g_test_in_ephemeral_dir();
+	g_test_queue_destroy((GDestroyNotify) my_unlink, "container");
+	g_assert_true(g_file_set_contents("container", "lxc", -1, NULL));
+	g_assert_true(_sc_is_in_container("container"));
+}
+
+static void test_sc_is_container__lxc_with_newline(void)
+{
+	g_test_in_ephemeral_dir();
+	g_test_queue_destroy((GDestroyNotify) my_unlink, "container");
+	g_assert_true(g_file_set_contents("container", "lxc\n", -1, NULL));
+	g_assert_true(_sc_is_in_container("container"));
+}
+
+static void test_sc_is_container__no_file(void)
+{
+	g_test_in_ephemeral_dir();
+	g_test_queue_destroy((GDestroyNotify) my_unlink, "container");
+	g_assert_false(_sc_is_in_container("container"));
+}
+
 static void __attribute__((constructor)) init(void)
 {
 	g_test_add_func("/utils/parse_bool", test_parse_bool);
@@ -232,4 +270,12 @@
 			test_sc_nonfatal_mkpath__relative);
 	g_test_add_func("/utils/sc_nonfatal_mkpath/absolute",
 			test_sc_nonfatal_mkpath__absolute);
+	g_test_add_func("/utils/sc_is_in_container/empty",
+			test_sc_is_container__empty);
+	g_test_add_func("/utils/sc_is_in_container/no_file",
+			test_sc_is_container__no_file);
+	g_test_add_func("/utils/sc_is_in_container/lxc",
+			test_sc_is_container__lxc);
+	g_test_add_func("/utils/sc_is_in_container/lxc_newline",
+			test_sc_is_container__lxc_with_newline);
 }
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils.c snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils.c
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils.c	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils.c	2024-04-21 07:32:01.000000000 +0000
@@ -261,3 +261,44 @@
 	}
 	return false;
 }
+
+const char *run_systemd_container = "/run/systemd/container";
+
+static bool _sc_is_in_container(const char *p)
+{
+	// see what systemd-detect-virt --container does in, see:
+	// https://github.com/systemd/systemd/blob/5dcd6b1d55a1cfe247621d70f0e25d020de6e0ed/src/basic/virt.c#L749-L755
+	// https://systemd.io/CONTAINER_INTERFACE/
+	FILE *in SC_CLEANUP(sc_cleanup_file) = fopen(p, "r");
+	if (in == NULL) {
+		return false;
+	}
+
+	char container[128] = { 0 };
+
+	if (fgets(container, sizeof(container), in) == NULL) {
+		/* nothing read or other error? */
+		return false;
+	}
+
+	size_t r = strnlen(container, sizeof container);
+	// TODO add sc_str_chomp()?
+	if (r > 0 && container[r - 1] == '\n') {
+		/* replace trailing newline */
+		container[r - 1] = 0;
+		r--;
+	}
+
+	if (r == 0) {
+		/* empty or just a newline */
+		return false;
+	}
+
+	debug("detected container environment: %s", container);
+	return true;
+}
+
+bool sc_is_in_container(void)
+{
+	return _sc_is_in_container(run_systemd_container);
+}
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils.h snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils.h
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/libsnap-confine-private/utils.h	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/libsnap-confine-private/utils.h	2024-04-21 07:32:01.000000000 +0000
@@ -50,6 +50,11 @@
 bool sc_is_reexec_enabled(void);
 
 /**
+ * Return true if executing inside a container.
+ **/
+bool sc_is_in_container(void);
+
+/**
  * sc_identity describes the user performing certain operation.
  *
  * UID and GID represent user and group accounts numbers and are controlled by
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/snap-confine/snap-confine.apparmor.in snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/snap-confine/snap-confine.apparmor.in
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/snap-confine/snap-confine.apparmor.in	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/snap-confine/snap-confine.apparmor.in	2024-04-21 07:32:01.000000000 +0000
@@ -120,6 +120,9 @@
     # To find if apparmor is enabled
     /sys/module/apparmor/parameters/enabled r,
 
+    # For detecting if we're in a container
+    /run/systemd/container r,
+
     # Don't allow changing profile to unconfined or profiles that start with
     # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
     # the environment for determining the capabilities of the architecture.
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/snap-confine/snap-confine.c snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/snap-confine/snap-confine.c
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/cmd/snap-confine/snap-confine.c	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/cmd/snap-confine/snap-confine.c	2024-04-21 07:32:01.000000000 +0000
@@ -733,10 +733,13 @@
 	// device cgroup by itself.
 	struct sc_device_cgroup_options cgdevopts = { false, false };
 	sc_get_device_cgroup_setup(inv, &cgdevopts);
+	bool in_container = sc_is_in_container();
 	if (cgdevopts.self_managed) {
 		debug("device cgroup is self-managed by the snap");
 	} else if (cgdevopts.non_strict) {
 		debug("device cgroup skipped, snap in non-strict confinement");
+	} else if (in_container) {
+		debug("device cgroup skipped, executing inside a container");
 	} else {
 		sc_device_cgroup_mode mode = device_cgroup_mode_for_snap(inv);
 		sc_setup_device_cgroup(inv->security_tag, mode);
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/commits snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/commits
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/commits	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/commits	2024-04-21 07:32:01.000000000 +0000
@@ -1 +1 @@
-master:b5b312040d6b9a5849660382379a26ea62bd1da9
+master:ba93277e5f17071b503f7ffb0682b595e5b9af64
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/debian/changelog snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/debian/changelog
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/debian/changelog	2024-04-20 07:32:12.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/debian/changelog	2024-04-21 07:32:01.000000000 +0000
@@ -1,8 +1,8 @@
-snapd (2.62+git5228.da79b2383~ubuntu16.04.1) xenial; urgency=low
+snapd (2.62+git5229.fd63599b2~ubuntu16.04.1) xenial; urgency=low
 
   * Auto build.
 
- -- Launchpad Package Builder <noreply@launchpad.net>  Sat, 20 Apr 2024 07:32:12 +0000
+ -- Launchpad Package Builder <noreply@launchpad.net>  Sun, 21 Apr 2024 07:32:01 +0000
 
 snapd (2.62) xenial; urgency=medium
 
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/debian/git-build-recipe.manifest snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/debian/git-build-recipe.manifest
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/debian/git-build-recipe.manifest	2024-04-20 07:32:12.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/debian/git-build-recipe.manifest	2024-04-21 07:32:01.000000000 +0000
@@ -1,2 +1,2 @@
-# git-build-recipe format 0.4 deb-version {debupstream}+git5228.da79b2383
-lp:snapd-vendor git-commit:da79b23834bbb60f486af854108999f58d9eb773
+# git-build-recipe format 0.4 deb-version {debupstream}+git5229.fd63599b2
+lp:snapd-vendor git-commit:fd63599b2fdccdf75f55af6da72e29417701ccb8
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/interfaces/apparmor/template.go snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/interfaces/apparmor/template.go
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/interfaces/apparmor/template.go	2024-04-20 07:32:11.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/interfaces/apparmor/template.go	2024-04-21 07:32:01.000000000 +0000
@@ -1065,6 +1065,8 @@
   /tmp/ r,
   /usr/ r,
   /var/ r,
+  /var/lib/ r,
+  /var/lib/snapd/ r,
   /var/snap/ r,
 
   # Allow reading timezone data.
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/packaging/ubuntu-16.04/changelog snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/packaging/ubuntu-16.04/changelog
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/packaging/ubuntu-16.04/changelog	2024-04-20 07:32:12.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/packaging/ubuntu-16.04/changelog	2024-04-21 07:32:01.000000000 +0000
@@ -1,8 +1,8 @@
-snapd (2.62+git5228.da79b2383~ubuntu16.04.1) xenial; urgency=low
+snapd (2.62+git5229.fd63599b2~ubuntu16.04.1) xenial; urgency=low
 
   * Auto build.
 
- -- Launchpad Package Builder <noreply@launchpad.net>  Sat, 20 Apr 2024 07:32:12 +0000
+ -- Launchpad Package Builder <noreply@launchpad.net>  Sun, 21 Apr 2024 07:32:01 +0000
 
 snapd (2.62) xenial; urgency=medium
 
diff -Nru snapd-2.62+git5228.da79b2383~ubuntu16.04.1/packaging/ubuntu-16.04/git-build-recipe.manifest snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/packaging/ubuntu-16.04/git-build-recipe.manifest
--- snapd-2.62+git5228.da79b2383~ubuntu16.04.1/packaging/ubuntu-16.04/git-build-recipe.manifest	2024-04-20 07:32:12.000000000 +0000
+++ snapd-2.62+git5229.fd63599b2~ubuntu16.04.1/packaging/ubuntu-16.04/git-build-recipe.manifest	2024-04-21 07:32:01.000000000 +0000
@@ -1,2 +1,2 @@
-# git-build-recipe format 0.4 deb-version {debupstream}+git5228.da79b2383
-lp:snapd-vendor git-commit:da79b23834bbb60f486af854108999f58d9eb773
+# git-build-recipe format 0.4 deb-version {debupstream}+git5229.fd63599b2
+lp:snapd-vendor git-commit:fd63599b2fdccdf75f55af6da72e29417701ccb8