I had shot at updating the snap-confine AppArmor policy, adding the following rules:
# support for xdg-desktop-portal documents portal
mount options=(rw bind) /run/user/[0-9]*/doc/by-app/* -> /run/user/[0-9]*/doc,
But I'm still having trouble getting this to work. The weird thing is that I'm not seeing any denial error in syslog. Looking at the strace output, I just get a permission denied error from the syscall:
mount("/run/user/1000/doc/by-app/snap.pkg.file-roller", "/run/user/1000/doc", NULL, MS_NOSUID|MS_NODEV|MS_BIND, NULL) = -1 EACCES (Permission denied)
Is there anything obvious that I'm doing wrong here?