There is some KVM specificness such as /dev/kvm which one wouldn’t notice unless developing the apparmor profile under KVM. (Similarly there are VirtualBox specific virtual linux devices.) Missing access to these virtualizer specific virtual linux deivces can lead to an apparmor profile working in VirtualBox but not KVM or vice versa.
Hm. I thought /dev/kvm was only relevant on the host side when confining vm guests since you’d need to allow access to the hypervisor privileged components while confining other paths with Apparmor…