Running on xenial + xenial overlay.
The camera cannot be accessed. Seeing the following apparmor denials:
bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 peer_label="unconfined"
Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 audit(1474557251.512:59): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 audit(1474557251.524:60): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 audit(1474557251.524:61): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 peer_label="unconfined"
Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 audit(1474557251.960:62): apparmor="DENIED" operation="open" profile="webbrowser-app//oxide_helper" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 audit(1474557251.968:63): apparmor="DENIED" operation="open" profile="webbrowser-app//oxide_helper" name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 audit(1474557251.972:64): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 audit(1474557251.972:65): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 audit(1474557251.976:66): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 audit(1474557252.020:67): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 audit(1474557252.020:68): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 audit(1474557257.020:73): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 audit(1474557257.020:74): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 audit(1474557257.020:75): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:17 blackhorse kernel: [ 2453.724196] audit: type=1400 audit(1474557257.020:76): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.724841] audit: type=1400 audit(1474557262.024:77): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:22 blackhorse kernel: [ 2458.724944] audit: type=1400 audit(1474557262.024:78): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.725194] audit: type=1400 audit(1474557262.024:79): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.725285] audit: type=1400 audit(1474557262.024:80): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:27 blackhorse kernel: [ 2463.725548] audit: type=1400 audit(1474557267.024:81): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:27 blackhorse kernel: [ 2463.725915] audit: type=1400 audit(1474557267.024:82): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:27 blackhorse kernel: [ 2463.726047] audit: type=1400 audit(1474557267.024:83): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:27 blackhorse kernel: [ 2463.726096] audit: type=1400 audit(1474557267.024:84): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726791] audit: type=1400 audit(1474557272.024:85): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726880] audit: type=1400 audit(1474557272.024:86): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726997] audit: type=1400 audit(1474557272.024:87): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:32 blackhorse kernel: [ 2468.727169] audit: type=1400 audit(1474557272.024:88): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:37 blackhorse kernel: [ 2473.727190] audit: type=1400 audit(1474557277.024:89): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:37 blackhorse kernel: [ 2473.727234] audit: type=1400 audit(1474557277.024:90): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:37 blackhorse kernel: [ 2473.727404] audit: type=1400 audit(1474557277.024:91): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:37 blackhorse kernel: [ 2473.727476] audit: type=1400 audit(1474557277.024:92): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:40 blackhorse kernel: [ 2476.772488] audit: type=1400 audit(1474557280.068:93): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/bfiller/" pid=4262 comm="FileInfoThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727539] audit: type=1400 audit(1474557282.024:94): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727595] audit: type=1400 audit(1474557282.024:95): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727778] audit: type=1400 audit(1474557282.024:96): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:42 blackhorse kernel: [ 2478.727904] audit: type=1400 audit(1474557282.024:97): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:47 blackhorse kernel: [ 2483.728308] audit: type=1400 audit(1474557287.024:98): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:47 blackhorse kernel: [ 2483.728394] audit: type=1400 audit(1474557287.024:99): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:47 blackhorse kernel: [ 2483.728511] audit: type=1400 audit(1474557287.024:100): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:47 blackhorse kernel: [ 2483.728661] audit: type=1400 audit(1474557287.024:101): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
^C
bfiller@blackhorse:~$
jdstrand said we need to add these to the apparmor profile for browser:
/dev/video[0-9]* rw,
/sys/bus/
/sys/devices/
/sys/devices/
/run/udev/
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
basically, it should use the camera policy group, but it may need to be adjusted for things like that ^ after someone has gone through all the needed accesses