Hey amurray, regarding /var/lib/snapd/apparmor/snap-confine.internal, I see that snapd uses this folder to write out snippets to help with certain kernels, etc. Eg, I see that right now I have /var/lib/snapd/apparmor/snap-confine.internal/cap-bpf which contains
capability bpf,
I was suggesting that if snapd detected a kernel with perfmon, it could choose to add a /var/lib/snapd/apparmor/snap-confine.internal/cap-perfmon file here that contained either `capability perfmon,` or `deny capability perfmon,` depending on if snap-confine needed it.
You'd need to decide on what to do about net_admin still of course.
Hey amurray, regarding /var/lib/ snapd/apparmor/ snap-confine. internal, I see that snapd uses this folder to write out snippets to help with certain kernels, etc. Eg, I see that right now I have /var/lib/ snapd/apparmor/ snap-confine. internal/ cap-bpf which contains
capability bpf,
I was suggesting that if snapd detected a kernel with perfmon, it could choose to add a /var/lib/ snapd/apparmor/ snap-confine. internal/ cap-perfmon file here that contained either `capability perfmon,` or `deny capability perfmon,` depending on if snap-confine needed it.
You'd need to decide on what to do about net_admin still of course.