That's despite the profiles not having "capability chown," inside them.
This suggests that apparmor will normally silently allow you to do a pointless chown (requested uid/gid matches existing uid/gid) but that logic isn't working properly with idmapped mounts.
root@dir:~# aa-exec -p snap.snap- store-proxy. snapproxy chown 0:0 /var/snap/ snap-store- proxy/common/ nginx/ snap-store- proxy/common/ nginx/' : Operation not permitted
chown: changing ownership of '/var/snap/
root@zfs:~# aa-exec -p snap.snap- store-proxy. snapproxy chown 0:0 /var/snap/ snap-store- proxy/common/ nginx/ store-proxy. snapproxy chown 1:1 /var/snap/ snap-store- proxy/common/ nginx/ snap-store- proxy/common/ nginx/' : Operation not permitted
root@zfs:~# aa-exec -p snap.snap-
chown: changing ownership of '/var/snap/
That's despite the profiles not having "capability chown," inside them.
This suggests that apparmor will normally silently allow you to do a pointless chown (requested uid/gid matches existing uid/gid) but that logic isn't working properly with idmapped mounts.