In the example above, PID 23556 belongs to command "/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnetload.so (...)"
In my experiments with apparmor profile for lightdm-guest-session, I've found that just granting read access to /proc/[0-9]*/net/dev is enough.
Robert,
This is a sample of my /var/log/kern.log messages regarding xfce4-netload- plugin attempts to read network traffic:
Apr 9 14:46:34 localhost kernel: [ 786.952187] audit: type=1400 audit(142860159 4.953:805) : apparmor="DENIED" operation="open" profile= "/usr/lib/ lightdm/ lightdm- guest-session" name="/ proc/23556/ net/dev" pid=23556 comm="panel- 2-netload" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
In the example above, PID 23556 belongs to command "/usr/lib/ x86_64- linux-gnu/ xfce4/panel/ wrapper- 1.0 /usr/lib/ x86_64- linux-gnu/ xfce4/panel/ plugins/ libnetload. so (...)"
In my experiments with apparmor profile for lightdm- guest-session, I've found that just granting read access to /proc/[ 0-9]*/net/ dev is enough.