# vim:set ft=apparmor:
#
# Copyright (C) 2009-2015 Canonical Ltd.
# Copyright (C) 2015 Collabora Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# SPDX-License-Identifier: GPL-2

###
# udev device enumeration as used in Mesa, based on Ubuntu's profile
# for chromium-browser.
#
# This profile allows the confined process to identify PCI devices,
# mainly used to determine their device class and vendor. This is
# normal behaviour for applications that use either Mesa graphics or
# GUdevClient. Other buses that are needed to identify built-in hardware
# devices might be added in future versions of this abstraction.
#
# This could conceivably be seen as a privacy risk, since the udev
# database might contain device serial numbers; if this is considered
# problematic, /run/udev/data access might have to be silently denied
# (if it is not strictly needed).
#
# Identifying a particular model or manufacturer of vehicle from device
# presence/absence or bus topology is not considered to be a new
# privacy risk, since the version number of embedded kernels is
# frequently hardware-specific anyway.
#
# Status: Apertis-specific
# Privilege level: intended to be used by unprivileged apps
###

  /etc/udev/udev.conf r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/pci[0-9]*/**/removable r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /run/udev/data/+pci:[0-9]* r,

  # Monitoring /dev for changes, for example in GUdevClient
  /dev/ r,
