incomplete 'opengl' interface
Bug #1605768 reported by
Cemil Azizoglu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
I tried running some of the snaps that use the 'opengl' interface on my Xenial machine with Intel Mesa drivers.
I received the following apparmor denials
/run/
/run/
and the following seccomp failures
memfd_create
Once these were added to the apparmor and seccomp profiles, the snaps work.
tags: | added: snapd-interface |
affects: | snapd (Ubuntu) → snappy |
Changed in snappy: | |
status: | In Progress → Fix Committed |
Changed in snappy: | |
milestone: | none → 2.12 |
To post a comment you must log in.
Note that for opengl client rendering the graphics driver uses the so called 'render' nodes in '/dev/dri'. On my system, this directory contains :
$ll /dev/dri/
total 0
drwxr-xr-x 2 root root 160 Jul 22 11:47 ./
drwxr-xr-x 20 root root 4700 Jul 22 11:47 ../
crw-rw----+ 1 root video 226, 0 Jul 22 11:47 card0
crw-rw----+ 1 root video 226, 1 Jul 22 11:47 card1
crw-rw---- 1 root video 226, 64 Jul 22 11:47 controlD64
crw-rw---- 1 root video 226, 65 Jul 22 11:47 controlD65
crw-rw----+ 1 root video 226, 128 Jul 22 11:47 renderD128
crw-rw----+ 1 root video 226, 129 Jul 22 11:47 renderD129
The driver uses udev to discover these nodes and needs access to the following files
/run/ udev/data/ c226:128 udev/data/ c226:129
/run/
in order to obtain the PCI information contained therein.
Therefore, composing the list of apparmor entries for the 'opengl' interface should query these render nodes. It can then form the paths by using the <major> and <minor> device numbers. I.e.
/run/udev/ data/c< major>: <minor>