We are developing webots (https://github.com/omichel/webots) and would like to provide a snap for it on Linux. I have created a snap with classic confinement which works fine locally and which I just pushed to snapcraft.io.
I tried hard to make it work with strict confinement, but failed mainly for the following reason: webots uses pcilib to read information on the graphics card (model, memory, etc. and deduce the OpenGL capabilities). Unfortunately, AppArmor doesn’t like it and prevents webots from reading this file in particular:
pcilib: Cannot open /sys/bus/pci/devices/0000:00:17.0/resource: Permission denied
I tried to add a plug in my snapcraft.yaml file, but that doesn’t help:
plugs: system-pci-read: interface: system-files read: - /sys/bus/pci/devices/0000:3b:00.0/resource - /sys/bus/pci/devices/0000:00:17.0/resource # - /sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/resource apps: webots: plugs: [desktop, desktop-legacy, hidraw, joystick, wayland, unity7, x11, opengl, pulseaudio, home, network, system-observe, system-pci-read] desktop: usr/share/webots/resources/webots.desktop command: desktop-launch $SNAP/usr/share/webots/webots
Shall I give up with strict confinement and ask a review for a classic confinement? Or is there still any hope that webots could be allowed to read /sys/bus/pci?