Comment 4 for bug 1943767

> Does your policy grant 'k' permissions to the file in question?

I think it does, as the snap.microk8s.daemon-containerd profile contains these rules:

  # Read-only system area for other versions
  # bind mount used here (see 'parallel installs', above)
  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,

  # Writable system area only for this version
  # bind mount used here (see 'parallel installs', above)
  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,

Also, running this command outside of the snap works:

    sudo aa-exec -p snap.microk8s.daemon-containerd \
        flock /var/snap/microk8s/common/default-storage/default-test-jb-pvc-aefec156-04d8-4cfe-a661-5df36eeca724/test echo ok