With 4.13.0-32.35-generic in 18.04 (via livecd), it seems that only this is needed:
/upper/{,**/} r,
AFAICT, /upper/ is not accessible to the process (ls /upper/ or ls /upper/foo) so the rule doesn't seem to be abusable. It would be nice if we didn't need this rule of course.
With 4.13.0- 32.35-generic in 18.04 (via livecd), it seems that only this is needed:
/upper/{,**/} r,
AFAICT, /upper/ is not accessible to the process (ls /upper/ or ls /upper/foo) so the rule doesn't seem to be abusable. It would be nice if we didn't need this rule of course.