It seems that the apparmor_parser in core22 does not understand the nosymfollow mount option:
$ lxc config set systemd-lxc raw.apparmor "mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/shm," Error: Parse AppArmor profile: Failed to run: apparmor_parser -QWL /var/snap/lxd/common/lxd/security/apparmor/cache /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-systemd-lxc: exit status 1 (unsupported mount options)
So, patching the generated AppArmor policy might not be feasible until the lxd snap uses core24.
It seems that the apparmor_parser in core22 does not understand the nosymfollow mount option:
$ lxc config set systemd-lxc raw.apparmor "mount options= (ro,remount, bind,nosuid, noexec, nodev,nosymfoll ow) /dev/shm," lxd/common/ lxd/security/ apparmor/ cache /var/snap/ lxd/common/ lxd/security/ apparmor/ profiles/ lxd-systemd- lxc: exit status 1 (unsupported mount options)
Error: Parse AppArmor profile: Failed to run: apparmor_parser -QWL /var/snap/
So, patching the generated AppArmor policy might not be feasible until the lxd snap uses core24.