incomplete 'opengl' interface

Note that for opengl client rendering the graphics driver uses the so called 'render' nodes in '/dev/dri'. On my system, this directory contains :

$ll /dev/dri/
total 0
drwxr-xr-x 2 root root 160 Jul 22 11:47 ./
drwxr-xr-x 20 root root 4700 Jul 22 11:47 ../
crw-rw----+ 1 root video 226, 0 Jul 22 11:47 card0
crw-rw----+ 1 root video 226, 1 Jul 22 11:47 card1
crw-rw---- 1 root video 226, 64 Jul 22 11:47 controlD64
crw-rw---- 1 root video 226, 65 Jul 22 11:47 controlD65
crw-rw----+ 1 root video 226, 128 Jul 22 11:47 renderD128
crw-rw----+ 1 root video 226, 129 Jul 22 11:47 renderD129

The driver uses udev to discover these nodes and needs access to the following files

  /run/udev/data/c226:128
  /run/udev/data/c226:129

in order to obtain the PCI information contained therein.

Therefore, composing the list of apparmor entries for the 'opengl' interface should query these render nodes. It can then form the paths by using the <major> and <minor> device numbers. I.e.

/run/udev/data/c<major>:<minor>

Thank you for reporting a bug. The /run/udev/data is usually non-fatal (but that doesn't mean we won't fix it). Can you:

1. add memfd_create to /var/lib/snapd/seccomp/profiles/snap.your.snap

2. try restarting your application and report back if it works or if you need more syscalls

3. add this to /var/lib/snapd/apparmor/profiles/snap.your.snap:
/run/udev/data/c226:12[89] r,

4. load the updated profile in the kernel with: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.your.snap

5. try restarting your application and report back if it works or if you need more rules

Thanks!

As I mentioned in the description, these do make my snap work.

I was more curious if just memfd_create allowed it to work, but it doesn't matter now.

You're right, just memfd_create makes it work... AppArmor denials still come happen but the app runs nevertheless.

This was fixed in 2.12 and is available in xenial-updates.