On 09/29/2013 08:23 AM, Felix Geyer wrote:
> The nvidia abstractions lacks a few rules that are needed by the
> latest driver version.
> I've tested it with nvidia-319-updates/319.49-0ubuntu2 on Ubuntu saucy.
>
> === modified file 'profiles/apparmor.d/abstractions/nvidia'
> --- profiles/apparmor.d/abstractions/nvidia 2013-01-02 22:39:45 +0000
> +++ profiles/apparmor.d/abstractions/nvidia 2013-09-29 13:17:22 +0000
> @@ -13,3 +13,11 @@
>
> @{PROC}/interrupts r,
> @{PROC}/sys/vm/max_map_count r,
> + @{PROC}/modules r,
> + @{PROC}/driver/nvidia/params r,
> +
> + owner @{HOME}/.nv/{,GLCache/} rw,
> + owner @{HOME}/.nv/GLCache/** rwk,
These are all fine. FYI, setting __GL_SHADER_DISK_CACHE_PATH affects the
location of @{HOME}/.nv/GLCache.
> + owner @{HOME}/.nvidia/ rw,
> + owner @{HOME}/.nvidia/** rwm,
I've not seen 'm' for @{HOME}/.nvidia/** - this isn't ideal but 'ok' I guess.
> + owner /tmp/gl* m,
>
This I don't like this at all, especially since many will presumably use the
user-tmp abstraction with nvidia, and it intentionally avoids mmap (btw, I'm
pretty sure you would need 'mrw' here anyway). I came across this recently and
found that the app behaves fine without access to /tmp/gl* at all, so we are
explicitly denying it.
Also, there is a bug on the nvidia GL libraries not honoring TMPDIR:
https://launchpad.net/bugs/1212425
(aiui, that should be fixed soon)
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
