On 09/29/2013 08:23 AM, Felix Geyer wrote: > The nvidia abstractions lacks a few rules that are needed by the > latest driver version. > I've tested it with nvidia-319-updates/319.49-0ubuntu2 on Ubuntu saucy. > > === modified file 'profiles/apparmor.d/abstractions/nvidia' > --- profiles/apparmor.d/abstractions/nvidia 2013-01-02 22:39:45 +0000 > +++ profiles/apparmor.d/abstractions/nvidia 2013-09-29 13:17:22 +0000 > @@ -13,3 +13,11 @@ > > @{PROC}/interrupts r, > @{PROC}/sys/vm/max_map_count r, > + @{PROC}/modules r, > + @{PROC}/driver/nvidia/params r, > + > + owner @{HOME}/.nv/{,GLCache/} rw, > + owner @{HOME}/.nv/GLCache/** rwk,
These are all fine. FYI, setting __GL_SHADER_DISK_CACHE_PATH affects the location of @{HOME}/.nv/GLCache. > + owner @{HOME}/.nvidia/ rw, > + owner @{HOME}/.nvidia/** rwm, I've not seen 'm' for @{HOME}/.nvidia/** - this isn't ideal but 'ok' I guess. > + owner /tmp/gl* m, > This I don't like this at all, especially since many will presumably use the user-tmp abstraction with nvidia, and it intentionally avoids mmap (btw, I'm pretty sure you would need 'mrw' here anyway). I came across this recently and found that the app behaves fine without access to /tmp/gl* at all, so we are explicitly denying it. Also, there is a bug on the nvidia GL libraries not honoring TMPDIR: https://launchpad.net/bugs/1212425 (aiui, that should be fixed soon) -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor