Comment 21 for bug 1946599

Indeed, the library is shipped by the snap. To be exact, it is shipped by the platform snap that the firefox snap uses as its base (gnome-3-38-2004), and the snap sees it at `$SNAP/gnome-platform/usr/lib/x86_64-linux-gnu/libEGL.so`. The snap's launcher modifies `LD_LIBRARY_PATH` accordingly. This is the value for a webcontent (child) process (where `x21` is the snap's revision, because I manually installed an instrumented build):

    LD_LIBRARY_PATH=/snap/firefox/x21/usr/lib/firefox:/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/firefox/x21/usr/lib:/snap/firefox/x21/usr/lib/x86_64-linux-gnu:/snap/firefox/x21/gnome-platform/lib/x86_64-linux-gnu:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux-gnu:/snap/firefox/x21/gnome-platform/usr/lib:/snap/firefox/x21/gnome-platform/lib:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux-gnu/dri:/var/lib/snapd/lib/gl:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux-gnu/libunity:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux-gnu/pulseaudio

The path in question is there, so it's not immediately clear to me why it's not being added to the policy's list of readonly paths. Maybe the call to `realpath(…)` doesn't work well with the snap's confinement?