Comment 6 for bug 1830502

We can get a diff of loaded vs. expected profiles

for a straight list of loaded profiles names, you can do
  $ sudo cat /sys/kernel/security/apparmor/profiles
  /snap/core/6964/usr/lib/snapd/snap-confine (enforce)
  /snap/core/6964/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
  firefox (enforce)
  firefox//sanitized_helper (enforce)
  firefox//lsb_release (enforce)
  ...

we can then get a list of profile names from apparmor_parser without doing a compile using
  $ sudo apparmor_parser -N /etc/apparmor.d/ /var/lib/snapd/apparmor/profiles/
  udm-extractor
  ubuntu-printing-app
  /usr/sbin/tcpdump
  ...

so a quick and dirty script to get the diff
  $ sudo cat /sys/kernel/security/apparmor/profiles | awk '{ print $1 }' > /tmp/foo ; sudo apparmor_parser -N /etc/apparmor.d/ /var/lib/snapd/apparmor/profiles/ >> /tmp/foo ; sort /tmp/foo | uniq -c | grep -e ' 1 '

  Skipping profile in /etc/apparmor.d/disable: usr.lib.libreoffice.program.oosplash
  Ignoring: 'usr.bin.firefox~'
      1 /etc/apparmor.d/usr.bin.firefox
      1 libvirt-79eb4c35-23a7-44bb-8894-aa97ca616850
  ...

basically anything with that doesn't show up in both gets a count of 1.

We can further distinguish profiles that have been loaded based on time if we need to with
  $ ls -l /sys/kernel/security/apparmor/policy/profiles/
  total 0
  drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-clipboard.1
  drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-peer-picker.2
  drwxr-xr-x 2 root root 0 May 21 23:16 default.0
  drwxr-xr-x 2 root root 0 May 21 23:16 etc.apparmor.d.skype.6
  ...

and we can try to load any of the profiles we find that failed to load individually with
  $ apparmor_parser -r $profile

or if need be one by one via shell scripting (sadly the parser is missing a direct way to dump which profile is being worked on when it is processing multiple dirs) and it can't do it when killed from the oom killer either.

with this we should be able to track down which profile is failing