The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.
So the problem is not confinement per se, but the fact that the core snap shadows these directories.
I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.
The chromium snap's generated apparmor profile does include <abstractions/ ssl_certs> , which allows read access to /etc/ssl/certs/ and /usr/local/ share/ca- certificates/ , among other paths¹.
So the problem is not confinement per se, but the fact that the core snap shadows these directories.
I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.
¹ see /etc/apparmor. d/abstractions/ ssl_certs for reference /snapcraft. io/docs/ system- files-interface
² https:/