Comment 49 for bug 1590561

Olivier Tilloy (osomon) wrote :

I just upgraded my laptop to zesty and tested webbrowser-app in the unity8 session.
Santosh’s comment (#47) is incorrect. The first denial that I’m getting is /dev/dri/, and I’ve had to add it to the webbrowser-app profile to proceed to get further denials for PCI devices config:

type=AVC msg=audit(1488885677.369:1080): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=8151 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After authorizing read access to /dev/dri/, I’m getting the following denials:

type=AVC msg=audit(1488885802.466:1091): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1092): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1093): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1094): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Which go away when allowing read access to the config files. And thus the application executes fine.

To summarize, here are the rules I’ve had to add to the webbrowser-app profile for the app to run under unity8:

  /dev/dri/ r,
  /sys/devices/pci[0-9]*/**/config r,