Comment 7 for bug 1663221

In discussing this more we decided that 'netlink raw' was too broad of a stroke. We can however adjust our seccomp policy for socket() for something like this:

socket PF_NETLINK SOCK_RAW NETLINK_KOBJECT_UEVENT

and then apparmor with:

# apparmor
# needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink raw'
# rule is not finely mediated by apparmor so we mediate with seccomp arg filtering.
network netlink raw,
/run/udev/data/c13:[0-9]* r,
/run/udev/data/+input:* r,

The above should be fine for non-root, but there is some more investigating to be had here. Allowing NETLINK_KOBJECT_UEVENT for a root process is undesirable.