Comment 6 for bug 1465724

The capable(CAP_NET_ADMIN) check is triggered by this syscall that go makes:

  2223 open("/proc/sys/net/core/somaxconn", O_RDONLY|O_CLOEXEC) = 3

You can reproduce it by running the following command with and without sudo:

$ aa-exec -p foo -- cat /proc/sys/net/core/somaxconn # Won't trigger the denial
$ sudo aa-exec -p foo -- cat /proc/sys/net/core/somaxconn # Will trigger the denial