@jdstrand thoughts on adding read rules for
/sys/fs/cgroup/cpu,cpuacct/system.slice/snap.${SNAP_NAME}.${SNAP_APP}.service/cpu.cfs_quota_us
and various other cpu cgroup properties to something like system-observe?
I’ve seen a fair number of Java applications (i.e. cassandra comes to my mind immediately) try with read access on these, presumably for some kind of JVM optimization.
See https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html for some documentation of what those do.
Note that this denial has cropped up at Pulseaudio on core18 and desktop-qt5 and Ubuntu Core 16.04 on Dell Edge GW - Apparmor denial of read of files is /sys/fs/cgroup/ as well