Comment 4 for bug 1817943

Thanks a lot Brian!

The denies for /sys/devices will be covered by my recent upstream commit which is a bit less "open" :-)

This is stuff we really need to add:
  /usr/share/egl/egl_external_platform.d/ r,
  /usr/share/egl/egl_external_platform.d/** r,
  /proc/modules r,

Less open than you suggested but should work, I recently added upstream:
  /etc/glvnd/egl_vendor.d/{,*} r,
which together with the rule above should be fine.

Note, all that is only done if GL is enabled which makes it rather secure to not open it up in general.

The following rules you added in your test, but I haven't seen the apparmor DENIED examples in any of the logs.
Would you mind running it without those rules and provide those deny example logs for:
  /proc/driver/nvidia/ r,
  /proc/driver/nvidia/** r,
  /dev/nvidiactl rw,

Once I have that I can push a change online extending what I did for i915 with what you identified.

Once we have that I can do an upload to Disco with all of it and we can give it a retry with all the platforms that we have.