Comment 14 for bug 1872175

Essentially the check iterates over all /proc/<numeric>
And there it does readlink to check if any has the target open.
In my example if any FD is a link to /dev/ttyUSB0

But this already is "graceful" the apparmor deny to
  readlink(fdpath, linkpath, sizeof(linkpath)
is
  apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=29314 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined"
for path
  /proc/1/fd/2

The retval then is -1 and and that makes it continue, which would not increase "cnt" of the pids that have it opened. So keeping that blocked should not break function at all.

And usually this has in dmesg something like
[52111.940870] kauditd_printk_skb: 153 callbacks suppressed

I checked and we can functionally go on with
 # triggered on fusercount, not strictly required and unsafe to allow
 # adding a denial rule silences the warnings
 deny ptrace read peer=unconfined,