interfaces: updates for mir-kiosk in browser-support, mir, opengl, un…

…ity7 (#3006)

interfaces/builtin/browser_support.go

@@ -57,7 +57,7 @@ deny dbus (send)
 
 # Lttng tracing is very noisy and should not be allowed by confined apps. Can
 # safely deny. LP: #1260491
-deny /{dev,run,var/run}/shm/lttng-ust-* r,
+deny /{dev,run,var/run}/shm/lttng-ust-* rw,
 
 # webbrowser-app/webapp-container tries to read this file to determine if it is
 # confined or not, so explicitly deny to avoid noise in the logs.

interfaces/builtin/mir.go

@@ -37,13 +37,17 @@ capability sys_tty_config,
 /{dev,run}/shm/\#* rw,
 /run/mir_socket rw,
 
+# Needed for mode setting via drmSetMaster() and drmDropMaster()
+capability sys_admin,
+
 # NOTE: this allows reading and inserting all input events
 /dev/input/* rw,
 
 # For using udev
 network netlink raw,
 /run/udev/data/c13:[0-9]* r,
 /run/udev/data/+input:input[0-9]* r,
+/run/udev/data/+platform:* r,
 `
 
 const mirPermanentSlotSecComp = `

interfaces/builtin/opengl.go

@@ -30,6 +30,7 @@ const openglConnectedPlugAppArmor = `
   /var/lib/snapd/lib/gl/ r,
   /var/lib/snapd/lib/gl/** rm,
 
+  /dev/dri/ r,
   /dev/dri/card0 rw,
   # nvidia
   @{PROC}/driver/nvidia/params r,
@@ -41,6 +42,7 @@ const openglConnectedPlugAppArmor = `
 
   # eglfs
   /dev/vchiq rw,
+  /sys/devices/pci[0-9]*/**/config r,
 
   # FIXME: this is an information leak and snapd should instead query udev for
   # the specific accesses associated with the above devices.

interfaces/builtin/unity7.go

@@ -457,7 +457,7 @@ dbus (send)
 
 # Lttng tracing is very noisy and should not be allowed by confined apps. Can
 # safely deny. LP: #1260491
-deny /{dev,run,var/run}/shm/lttng-ust-* r,
+deny /{dev,run,var/run}/shm/lttng-ust-* rw,
 `
 
 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/unity7