Comment 11 for bug 1641236

Note: This affects SSH as well.. not only lxc exec. There is a currently marked duplicate bug about the SSH part in Bug #1667016

This still persits on focal now. To workaround this for me I have to *both* use tcpdump with -l (line buffered mode) *and* pipe the output to cat. You also want to redirect stderr otherwise it's silently lost.

# tcpdump -lni o-hm0 2>&1|cat

The apparmor errors I get are:
[ 6414.508990] audit: type=1400 audit(1666764106.013:360): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-juju-5062b7-2-lxd-3_<var-snap-lxd-common-lxd>" profile="/usr/sbin/tcpdump" name="/dev/pts/2" pid=187936 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1001000

I have determined the cause, which is that tcpdump is one of the few programs with its own restrictive apparmor profile (/etc/apparmor.d/usr.sbin.tcpdump). As part of that it locks down /dev to read-only:
> /dev/ r,

However that also means /dev/pts is read-only, hence the error above denies write access.

There is an abstraction #include <abstractions/consoles> which adds access to /dev/pts and other console outputs. It's included also in the profile for usr.bin.man.

Including this abstraction resolves the issue for me. I'll upload a patch.