Considering the current implemention constraints that applications have to access various device files for GL (eg, /dev/dri/card0) instead of having something trusted like mir do the direct access (see bug #1197133 for background), I don't think we can avoid this access:
It is fine for webbrowser-app to /sys/devices/pci[0-9]*/**/config, but before we add it for all applications, can you give the complete denial messages? Perhaps there is something more fine-grained we can use....
Considering the current implemention constraints that applications have to access various device files for GL (eg, /dev/dri/card0) instead of having something trusted like mir do the direct access (see bug #1197133 for background), I don't think we can avoid this access:
/sys/ devices/ pci[0-9] */**/config r,
While https:/ /www.kernel. org/doc/ Documentation/ filesystems/ sysfs-pci. txt tells us it is rw, AppArmor can at least enforce readonly.
It is fine for webbrowser-app to /sys/devices/ pci[0-9] */**/config, but before we add it for all applications, can you give the complete denial messages? Perhaps there is something more fine-grained we can use....