Considering the current implemention constraints that applications have to access various device files for GL (eg, /dev/dri/card0) instead of having something trusted like mir do the direct access (see bug #1197133 for background), I don't think we can avoid this access:
/sys/devices/pci[0-9]*/**/config r, While https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt tells us it is rw, AppArmor can at least enforce readonly. It is fine for webbrowser-app to /sys/devices/pci[0-9]*/**/config, but before we add it for all applications, can you give the complete denial messages? Perhaps there is something more fine-grained we can use.... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1590561 Title: webbrowser-app crashes on startup on fresh zesty Unity8: No suitable EGL configs found Status in Canonical System Image: Confirmed Status in Oxide: Invalid Status in apparmor package in Ubuntu: New Status in unity8 package in Ubuntu: Confirmed Status in webbrowser-app package in Ubuntu: Confirmed Bug description: When trying to start webbrowser-app a unresponsive window appears and after a few moments it crashes. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: webbrowser-app 0.23+16.04.20160413-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Wed Jun 8 22:56:35 2016 InstallationDate: Installed on 2016-04-28 (41 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: webbrowser-app UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1590561/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
