Hi @dclane, Thanks for looking into it. To answer your questions:
Does
hugepages-controlnot give enough read access to/sys/kernel/mm/hugepages/? (negating the need forsystem-files-hugepages)
I have issues getting hugepages-control working by itself. I talked about it in a forum post starting here. As best I can tell from source, open jdk is looking for directories in /sys/kernel/mm/hugepages matching hugepages-[0-9]*kB. I may be misinterpreting the AppArmor rules, but I believe hugepages-control’s allowed directories don’t allow the subdirectories to end in kB.
Read access to all of
/dev/- are you able to elaborate on how this is to be used / why it is needed?
Currently, Autopsy scans for any readable device in /dev starting with hd, sd, or disk. If I just enable block-devices, I can see /dev/sda. If I enable the read access to /dev, I can also see the partitions like /dev/sda1, /dev/sda2, etc. I think the users would likely appreciate the flexibility. Is there a better way of doing this?
I see in your snapcraft.yaml (although not requested here) that you have
browser-supportwithallow-sandbox: truewhich is also rarely granted (and requires vetting); Is that something you’re planning on keeping/requesting too?
No, that’s a mistake on my part. I can take that out. Initially, I was concerned that the JavaFX webview might not work without it, but after further review, I think I was wrong about that.