1
# Description: Can access various APIs needed by modern browsers (eg, Google
2
# Chrome/Chromium and Mozilla) and file paths they expect. This interface is
3
# transitional and is only in place while upstream's work to change their paths
4
# and snappy is updated to properly mediate the APIs.
6
# for anonymous sockets
12
# TODO: fine-tune when seccomp arg filtering available in stable distro
16
# Since snapd still uses SECCOMP_RET_KILL, add a workaround rule to allow mknod
17
# on character devices since chromium unconditionally performs a mknod() to
18
# create the /dev/nvidiactl device, regardless of if it exists or not or if the
19
# process has CAP_MKNOD or not. Since we don't want to actually grant the
20
# ability to create character devices, we added an explicit deny AppArmor rule
21
# for this capability. When snapd uses SECCOMP_RET_ERRNO, we can remove this
23
# https://forum.snapcraft.io/t/call-for-testing-chromium-62-0-3202-62/2569/46
25
mknodat - - |S_IFCHR -