Comment 6 for bug 1967884

Hey amurray, regarding /var/lib/snapd/apparmor/snap-confine.internal, I see that snapd uses this folder to write out snippets to help with certain kernels, etc. Eg, I see that right now I have /var/lib/snapd/apparmor/snap-confine.internal/cap-bpf which contains

capability bpf,

I was suggesting that if snapd detected a kernel with perfmon, it could choose to add a /var/lib/snapd/apparmor/snap-confine.internal/cap-perfmon file here that contained either `capability perfmon,` or `deny capability perfmon,` depending on if snap-confine needed it.

You'd need to decide on what to do about net_admin still of course.