[apparmor] Note: NVIDIA drivers are mapping user-writable files by default

Jamie Strandboge jamie at canonical.com
Tue Feb 20 18:59:22 UTC 2018 

On Fri, 2018-02-16 at 16:44 +0200, Vincas Dargis wrote:
> On 2/11/18 11:38 PM, John Johansen wrote:
> > On 02/11/2018 02:42 AM, Vincas Dargis wrote:
> > > 
> Now for the Jamie suggestion:
> 
> On 2/12/18 7:40 PM, Jamie Strandboge wrote:
>  > This is what I initially recommended but based on your later
>  > investigations I later recommended something different. I now
> suggest
>  > simply:
>  >
>  > 1. update the nvidia abstraction to have comment that it does not
>  > provide some NVIDIA optimizations and to either add `deny` rules
>  > manually to silence the denials or add allow rules if want the
>  > optimizations. Both sets of rules would be commented out in the
> nvidia
>  > abstraction under the aforementioned comment.
>  >
> 
> Sorry, I misunderstood your suggestion. So it's basically approach
> using 
> documentation only?
> 
Yes

> There could be another approach without "deny and then override"
> that 
> John didn't show affection for:
> 
> 1. <abstractons/nvidia> Left unchanged, except maybe adding info
> about 
> missing permissions for possibly unsafe optimization, hint how to fix
> that
> 
> 2.a new <abstractions/nvidia-with-optimizations> abstraction that 
> includes <abstractions/nvidia> and allows rules for optimizations.
> 
If this is helpful to people, I'm not opposed to it, though the
abstraction name is a bit wordy. I'd prefer this over 2.b (below) since
explicit denies are annoying for policy authors. I realize that doesn't
help with noisy denials, but those are probably best handled at the
distro or site level IMHO.

> 2.b new <abstractions/nvidia-without-optimizations> abstraction that 
> includes <abstractions/nvidia> and denies optmiziations.
> 
> usr.bin.thunderbird could be updated to change "nvidia" into 
> "nvidia-without-optimizations" and "usr.lib.ioquake3.ioquake3" could
> be 
> updated to include "nvidia-with-optimizations" instead.
> 
-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180220/c28d1cc5/attachment.sig>

More information about the AppArmor mailing list