Comment 14 for bug 1991691

Thanks Alex and John for jumping in -- I did some investigation and I'm more and more persuaded that this is indeed a kernel (AppArmor bug).

The good thing is that this is 100% reproducible by just installing the latest 22.10 daily images: firefox starts with warnings, and slack does not start at all. It's also true, as first suggested by Mathias, that booting with the kernel 5.19.0-18-generic makes the problem go away.

Even with that kernel there are still error messages left, related to mkdir failing, but that is due to bug 1951210 which has been fixed with https://github.com/snapcore/snapd/pull/12127 (but the fix has not been released yet, hence we still see these errors).

The errors which turns out to be fatal (for slack) are those mentioned by Andreas as he submitted the bug:

> update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.slack /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied

The failure is on "lstat", which triggers the AppArmor's getattr permission. The audit logs with the latest kernel show a flood of denials on getattr, which disappear with the previous kernel version. Could it be that the latest kernel has changed something in the way that getattr is handled?
I just found https://gitlab.com/apparmor/apparmor/-/issues/132 and I wonder if that code path has finally been enabled.