如何基于 jre 构建 snap

我是 jape 的开发人员，jape 是一个形式逻辑证明编辑器，它使用 java 提供 GUI，使用 OCaml 提供证明步骤引擎。（请参阅 github 上的 rbornat/jape）。我正在尝试将 jape 打包为 snap。该 snap 包含一个 jre，使用 jlink 和 adoptopenjdk 的 JDK 11 构建。它首先调用 jre 中的一个类。

为了构建 snap，我已经把它包含在内了，build-attributes: [keep-execstack]因为 JIT 编译器（还有另一个库，忘记是什么了）需要它。

snap 可以使用 --devmode 和 --dangerous。我告诉它连接到personal-files以便它可以访问~/.java，并连接到:home。到目前为止一切顺利。

但是 jre 的垃圾收集器会很多访问系统文件，向我展示snappy-debug。例如，它以

= AppArmor =
Time: Aug 14 18:49:17
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="truncate" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_pattern" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_pattern'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_uses_pid" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_uses_pid (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_uses_pid'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

后来它花了很多时间阅读关于记忆的东西

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.limit_in_bytes'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.usage_in_bytes'

我不知道如何让这个快照变得简单。system-files界面说快照不能查看/etc或/proc；layout机制不喜欢链接到proc/1/cgroup（这是我迄今为止尝试过的所有方法），我必须以某种方式提供运行 uid和pid值来描述发生了什么。然而，Snapcraft 的 Java 文档并没有提及任何这些困难。

帮助？