Comment 2 for bug 2023630

I was able to get around this by running the following

$ sudo mkdir /etc/apparmor.d/abstractions/nss-systemd.d
$ echo -e '# vim:syntax=apparmor\n\n abi <abi/3.0>,\n @{run}/systemd/resolve/io.systemd.Resolve rw,' | sudo tee /etc/apparmor.d/abstractions/nss-systemd.d/resolver
$ sudo systemctl reload apparmor

There may very well be better ways to do this, but this seems to work.

NB: FWIW, I believe this gives many applications the ability to use systemd-resolved to resolve hostnames, but I can't imagine that being a security issue.