Comment 48 for bug 1590561

Jamie Strandboge (jdstrand) wrote :

Considering the current implemention constraints that applications have to access various device files for GL (eg, /dev/dri/card0) instead of having something trusted like mir do the direct access (see bug #1197133 for background), I don't think we can avoid this access:

  /sys/devices/pci[0-9]*/**/config r,

While https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt tells us it is rw, AppArmor can at least enforce readonly.

It is fine for webbrowser-app to /sys/devices/pci[0-9]*/**/config, but before we add it for all applications, can you give the complete denial messages? Perhaps there is something more fine-grained we can use....