AppArmor: allow Firefox to enumerate GPUs and use graphics acceleration

Modern web browsers and contents need graphics acceleration more and more.

GNU/Linux systems are moving to Wayland, where one cannot rely on X.Org driver
acceleration anymore, and everything instead happens in the kernel, libdrm,
and Mesa.

apparmor/torbrowser.Browser.firefox

@@ -5,8 +5,11 @@
 
 profile torbrowser_firefox @{torbrowser_firefox_executable} {
   #include <abstractions/audio>
+  #include <abstractions/dri-enumerate>
   #include <abstractions/gnome>
   #include <abstractions/ibus>
+  #include <abstractions/mesa>
+  #include <abstractions/opencl>
   #include if exists <abstractions/vulkan>
 
   # Uncomment the following lines if you want to give the Tor Browser read-write
@@ -98,6 +101,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /usr/share/homepage/ r,
   /usr/share/homepage/** r,
 
+  /sys/bus/pci/devices/ r,
+  @{sys}/devices/pci[0-9]*/**/irq r,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/present r,
   /sys/devices/system/node/ r,
@@ -118,12 +123,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Required for Wayland display protocol support
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
 
-  # Deny access to DRM nodes, that's granted by the X abstraction, which is
-  # sourced by the gnome abstraction, that we include.
-  deny /dev/dri/** rwklx,
-
   # Silence denial logs about permissions we don't need
-  deny /dev/dri/   rwklx,
   deny @{HOME}/.cache/fontconfig/ rw,
   deny @{HOME}/.cache/fontconfig/** rw,
   deny @{HOME}/.config/gtk-2.0/ rw,
@@ -160,5 +160,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   owner @{PROC}/@{pid}/{gid,uid}_map w,
   owner @{PROC}/@{pid}/setgroups w,
 
+  # Remove these rules once we can assume abstractions/vulkan is recent enough
+  # to include them
+  /etc/glvnd/egl_vendor.d/{*,.json} r,
+  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+
   #include <local/torbrowser.Browser.firefox>
 }