Comment 1 for bug 1964636

Thanks for the report, I just tried to reproduce this on both updated impish and updated jammy and couldn't reproduce. I notice on impish specifically that my focal container does not get the /var/lib/snapd/apparmor/snap-confine/cap-bpf file which is expected because the apparmor_parser for focal does not know about the bpf capability. What's confusing is how/why your container saw this, because again snapd actually tries to compile a program with apparmor_parser with "capability bpf," in it and only if that succeeds will it generate that snippet to include in snap-confine's policy.

So for this to have happened to you, the apparmor_parser that snapd sees inside the focal container must have been able to successfully compile with that snippet.

You mentioned on IRC that this was a privileged container, is there anyway that in addition to being a privileged container somehow it had a newer apparmor_parser in the container too?