Not sure where to put this; I just did not see this discussed. This might be an issue for all distributions which use the vendored apparmor and support snapd re-execution packaging
AFAIU if the mainline kernel merges the apparmor patches, (according to jjohansen), snapd needs to vendor a newer apparmor version (>=4.1) in order to support af_unix mediation / full sandbox.
This might break the sandbox in unexpected ways.
E.g. currently if i install ubuntu:25.04 via LXD that provides apparmor 4.1 and snapd via the apt package, so if i would be running the patched mainline kernel, it should still support the full sandbox. If i would switch to the snapd snap, that would use the vendored apparmor 4.0.2
So I guess that means that a newer apparmor needs to be vendored into snapd latest/stable before the mainline kernel patches go live(?).
Context where that thought originiated: