Comment 3 for bug 1703674

With 4.13.0-32.35-generic in 18.04 (via livecd), it seems that only this is needed:

  /upper/{,**/} r,

AFAICT, /upper/ is not accessible to the process (ls /upper/ or ls /upper/foo) so the rule doesn't seem to be abusable. It would be nice if we didn't need this rule of course.