@niemeyer, I think we can drop kernel-module-control as well. While we get the denial below (looks like iproute2 is calling into iptables which does some modprobing), my basic mainline testing seems to be ok without that interface so lets not include kernel-module-control for now.
= AppArmor =
Time: Jul 3 18:02:33
Log: apparmor=“DENIED” operation=“capable” profile=“snap.nova-hypervisor.nova-compute” pid=18201 comm=“ip” capability=16 capname=“sys_module”
Capability: sys_module
Suggestions:
- adjust program to not require ‘CAP_SYS_MODULE’ (see ‘man 7 capabilities’)
- configure modules on the system instead of via snap