So while I don't think we are where snapd can get rid of the snap-confine.internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore.
It can just specify
deny capability perfmon,
and it will work, for all kernels.
So while I don't think we are where snapd can get rid of the snap-confine. internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore.
It can just specify
deny capability perfmon,
and it will work, for all kernels.