ubuntu@ubuntu:~$ sudo cat /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd_forkproxy-PASocket1_pmp
#include <tunables/global>
profile "lxd_forkproxy-PASocket1_pmp_</var/snap/lxd/common/lxd>" flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
# Capabilities
capability chown,
capability dac_read_search,
capability dac_override,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
# Network access
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network unix stream,
# Forkproxy operation
/var/snap/lxd/common/lxd/logs/pmp/** rw,
@{PROC}/** rw,
/ rw,
ptrace (read),
ptrace (trace),
# Needed for lxd fork commands
/snap/lxd/current/bin/lxd mr,
@{PROC}/@{pid}/cmdline r,
/var/lib/snapd/hostfs/{etc,lib,usr/lib}/os-release r,
/home/ubuntu/pulse-native rw,
/var/lib/snapd/hostfs/run/user/1000/pulse/native rw,
/var/lib/snapd/hostfs/run/user/1000/pulse/native rw,
# Things that we definitely don't need
deny @{PROC}/@{pid}/cgroup r,
deny /sys/module/apparmor/parameters/enabled r,
deny /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# The binary itself (for nesting)
/var/snap/lxd/common/lxd.debug mr,
/snap/lxd/*/bin/lxd mr,
# Snap-specific libraries
/snap/lxd/*/lib/**.so* mr,
# Entries from LD_LIBRARY_PATH
/snap/lxd/current/zfs-0.8/lib//** mr,
/var/lib/snapd/lib/gl/** mr,
/var/lib/snapd/lib/gl32/** mr,
/var/lib/snapd/void/** mr,
/snap/lxd/18140/lib/** mr,
/snap/lxd/18140/lib/aarch64-linux-gnu/** mr,
/snap/lxd/18140/lib/aarch64-linux-gnu/ceph/** mr,
/snap/lxd/18140/zfs-0.6/lib/** mr,
/** mr,
/snap/lxd/18140/lib/** mr,
/snap/lxd/18140/lib/aarch64-linux-gnu/** mr,
/snap/lxd/current/lib/** mr,
/snap/lxd/current/lib/aarch64-linux-gnu/** mr,
/snap/lxd/current/lib/aarch64-linux-gnu/ceph/** mr,
}