raw-usb isn’t an issue since it doesn’t try to do more finegrained mediation with the device cgroup.
joystick is definitely one that should not use the glob rules since without the cgroup but with the glob rules it gives access to all input devices.
serial-port isn’t going to work for you anyway, today, since the gadget snap has to define what is available since hotplug isn’t in place yet. However, serial-port is one of the first interfaces that will start to use hotplug, aiui.
There is a new yubikey interface coming that operates like joystick, but for hidraw devices, so you’d want to avoid that too.
For the others:
- camera, dvb, optical-drive: currently grants access to all devices of this type, but will (eventually) change with hotplug
- gpio, i2c, iio, spi: specific access where apparmor and cgroup are the same and gadget defines the specific devices
- network-control, bluetooth-control, gpio-memory-control, hardware-random-control, io-port-control: specific access where cgroup and apparmor are same
- opengl: like raw-usb with glob access where cgroup and apparmor are essentially the same
But there were others not listed in the above:
- alsa, broadcom-asic-control, framebuffer, mir, modem-manager, ofono, ppp, pulseaudio, tpm, udisks2, wayland, x11: glob access where cgroup and apparmor are essentially the same
- adb-support, device-buttons: like joystick where cgroup is relied on for fine-grained mediation
- bluez, fuse-support, hardware-random-observe, kernel-module-control, kvm, kubernetes-support, network-manager, physical-memory-control, physical-memory-observe, time-control: specific access where apparmor and cgroup is the same
- hidraw: like serial-port where glob is used when usb attributes specified
- uhid: specific access for which udev tagging can’t be used
So, with the above, the only ones to worry about are joystick, adb-support, device-buttons, serial-port with usb attributes, hidraw with usb attributes and the upcoming yubikey interface.