rule with owner match has fsuid=1000 ouid=0 denial with named socket with owner permissions

Electron applications use this to ensure only one instance of the application is running: https://chromium.googlesource.com/chromium/chromium/+/master/chrome/browser/process_singleton_linux.cc#

Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:

$ ls -l /run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS

In snappy, we have the following rule:

  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,

Under certain circumstances[1] a read denial pops out due to owner mismatch:

apparmor=“DENIED” operation=“file_perm” profile=“snap.mailspring.mailspring” name="/run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc/SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid and doesn't have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.

[1]https://forum.snapcraft.io/t/electron-snap-killed-when-using-app-makesingleinstance-api/2667/20