Comment 16 for bug 1895967

It seems it comes down to a change in /lib/apparmor/apparmor.systemd which now refuses to load profiles when running in a container.

Example with 3.0:
$ /lib/apparmor/apparmor.systemd reload
Not starting AppArmor in container

Example with 2.x
 /lib/apparmor/apparmor.systemd reload
Restarting AppArmor
Reloading AppArmor profiles

This also explains why snap profiles work, the are loaded by snapd and not by apparmor.service.

I'll attach a repro script and full logs of good and bad case.