AppArmor denials with retroarch snap in unprivileged LXC container

I can run retroarch from apt, but snap fails with AppArmor denial (in particular the X11 connect denials)

[  568.079823] audit: type=1400 audit(1637620095.329:1374): apparmor="DENIED" operation="capable" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="/snap/snapd/13640/usr/lib/snapd/snap-confine" pid=29068 comm="snap-confine" capability=4  capname="fsetid"
[  569.035405] audit: type=1400 audit(1637620096.287:1375): apparmor="DENIED" operation="mkdir" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" name="/run/user/1000/" pid=29115 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1001000 ouid=1001000
[  569.764225] audit: type=1400 audit(1637620097.016:1376): apparmor="DENIED" operation="open" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" name="/usr/share/icons/" pid=29068 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1001000 ouid=1000000
[  569.765189] audit: type=1400 audit(1637620097.016:1377): apparmor="DENIED" operation="open" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" name="/var/lib/snapd/desktop/icons/" pid=29068 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1001000 ouid=1000000
[  598.047465] audit: type=1326 audit(1637620125.322:1378): auid=4294967295 uid=1001000 gid=1001000 ses=4294967295 subj=lxd-retro-snap_</var/snap/lxd/common/lxd>//&:lxd-retro-snap_<var-snap-lxd-common-lxd>:snap.retroarch.retroarch pid=29254 comm="notify-send" exe="/snap/retroarch/957/usr/bin/notify-send" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f307b74289d code=0x50000
[  598.092148] audit: type=1326 audit(1637620125.370:1379): auid=4294967295 uid=1001000 gid=1001000 ses=4294967295 subj=lxd-retro-snap_</var/snap/lxd/common/lxd>//&:lxd-retro-snap_<var-snap-lxd-common-lxd>:snap.retroarch.retroarch pid=29259 comm="notify-send" exe="/snap/retroarch/957/usr/bin/notify-send" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f4cc950189d code=0x50000
[  612.089150] audit: type=1326 audit(1637620139.371:1380): auid=4294967295 uid=1001000 gid=1001000 ses=4294967295 subj=lxd-retro-snap_</var/snap/lxd/common/lxd>//&:lxd-retro-snap_<var-snap-lxd-common-lxd>:snap.retroarch.retroarch pid=29330 comm="notify-send" exe="/snap/retroarch/957/usr/bin/notify-send" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f32c37f089d code=0x50000
[  614.549737] audit: type=1400 audit(1637620141.832:1381): apparmor="DENIED" operation="open" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" name="/etc/retroarch.cfg" pid=29068 comm="retroarch" requested_mask="r" denied_mask="r" fsuid=1001000 ouid=1000000
[  614.636659] audit: type=1400 audit(1637620141.920:1382): apparmor="DENIED" operation="connect" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" pid=29068 comm="retroarch" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" addr=none peer_addr="@/tmp/.X11-unix/X0" peer="---"
[  614.636700] audit: type=1400 audit(1637620141.920:1383): apparmor="DENIED" operation="connect" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" pid=29068 comm="retroarch" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" addr=none peer_addr="@/tmp/.X11-unix/X0" peer="---"
[  614.658792] audit: type=1400 audit(1637620141.944:1384): apparmor="DENIED" operation="connect" namespace="root//lxd-retro-snap_<var-snap-lxd-common-lxd>" profile="snap.retroarch.retroarch" pid=29068 comm="retroarch" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" addr=none peer_addr="@/tmp/.X11-unix/X0" peer="---"

Retroarch error logs:

[WARN] [SDL_GL]: Failed to initialize SDL gfx context driver: No available video device
[INFO] [GL]: Found GL context: null
[INFO] [GL]: Detecting screen resolution 320x240.
[INFO] [GL]: Vendor: (null), Renderer: (null).
[INFO] [GL]: Version: (null).
[ERROR] [Video]: Cannot open video driver ... Exiting ...
[ERROR] Fatal error received in: "video_driver_init_internal()"
ubuntu@retro-snap:~$ snap version
snap    2.52.1
snapd   2.52.1
series  16
ubuntu  20.04
kernel  5.11.0-40-generic
ubuntu@retro-snap:~$ snap list | grep retro
retroarch          1.9.13.2                    957    latest/stable  libretro    -

lxc profile with “GPU forwarding”

$ lxc profile show nvidia
config:
  environment.DISPLAY: :0
  environment.PULSE_SERVER: unix:/home/ubuntu/pulse-native
  nvidia.driver.capabilities: all
  nvidia.runtime: "true"
  user.user-data: |
    #cloud-config
    runcmd:
      - 'sed -i "s/; enable-shm = yes/enable-shm = no/g" /etc/pulse/client.conf'
    packages:
      - x11-apps
      - mesa-utils
      - pulseaudio
description: GUI LXD profile
devices:
  PASocket1:
    bind: container
    connect: unix:/run/user/1000/pulse/native
    gid: "1000"
    listen: unix:/home/ubuntu/pulse-native
    mode: "0777"
    security.gid: "1000"
    security.uid: "1000"
    type: proxy
    uid: "1000"
  X0:
    bind: container
    connect: unix:@/tmp/.X11-unix/X0
    listen: unix:@/tmp/.X11-unix/X0
    security.gid: "1000"
    security.uid: "1000"
    type: proxy
  mygpu:
    type: gpu
name: nvidia