apparmor failure on udev with opengl interface
Bug #1589671 reported by
Alan Pope 🍺🐧🐱 🦄
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
With a mame snap I made, I get this with "snappy-
Time: Jun 6 20:55:31
Log: apparmor="ALLOWED" operation="open" profile=
File: /run/udev/
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/
Changed in snappy: | |
status: | Triaged → In Progress |
To post a comment you must log in.
I think what is happening is this comes up when the app is trying to use the opengl device. What are the contents of the file? Ie:
$ cat "/run/udev/ data/+pci: 0000:00: 02.0"
Regardless of if it is opengl or something else, the proper way to fix this is to query udev to get the files in /run/udev based on the device file used in /dev. In this manner we can give precise access to files in /run/udev/data.
In the meantime, it is possible to add this glob rule:
/run/udev/data/** r,
That constitutes an information leak though as there can be sensitive data in this directory (eg, MAC addresses, hardware identifiers, information for data mining, etc) so we should plan on querying udev for precise access instead of always keeping the glob rule.