Turns out it’s because /sys/fs/cgroup
not being mounted. securityfs
is also required. (Got this inspiration from https://github.com/diddlesnaps/snapcraft-container/issues/8#issuecomment-1070825050)
Mount cgroup2 and securityfs inside the netns shell:
sudo mount -t cgroup2 cgroup2 /sys/fs/cgroup
sudo mount -t securityfs securityfs /sys/kernel/security/
After doing so, firefox snap could be launched in the network namespace.