In discussing this more we decided that 'netlink raw' was too broad of a stroke. We can however adjust our seccomp policy for socket() for something like this:
socket PF_NETLINK SOCK_RAW NETLINK_KOBJECT_UEVENT
and then apparmor with:
# apparmor
# needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink raw'
# rule is not finely mediated by apparmor so we mediate with seccomp arg filtering.
network netlink raw,
/run/udev/data/c13:[0-9]* r,
/run/udev/data/+input:* r,
The above should be fine for non-root, but there is some more investigating to be had here. Allowing NETLINK_KOBJECT_UEVENT for a root process is undesirable.
In discussing this more we decided that 'netlink raw' was too broad of a stroke. We can however adjust our seccomp policy for socket() for something like this:
socket PF_NETLINK SOCK_RAW NETLINK_ KOBJECT_ UEVENT
and then apparmor with:
# apparmor data/c13: [0-9]* r, data/+input: * r,
# needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink raw'
# rule is not finely mediated by apparmor so we mediate with seccomp arg filtering.
network netlink raw,
/run/udev/
/run/udev/
The above should be fine for non-root, but there is some more investigating to be had here. Allowing NETLINK_ KOBJECT_ UEVENT for a root process is undesirable.