From 1919d90770b3919da13bad0bd9ca39abffb5f65c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 8 Apr 2024 18:07:18 +0100 Subject: [PATCH] feat(profile): start using child-modprobe-nvidia. --- apparmor.d/abstractions/graphics-full | 2 -- apparmor.d/abstractions/nvidia-strict | 2 ++ apparmor.d/groups/children/child-modprobe-nvidia | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1b19173b..e9480d21 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,8 +4,6 @@ include - @{bin}/nvidia-modprobe Px -> nvidia_modprobe, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 3ebb4d2b..4d23a7e5 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index b4acf63c..51f059e6 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -30,8 +30,6 @@ profile child-modprobe-nvidia { @{bin}/kmod Cx -> kmod, - # /dev/nvidia-uvm w, - # /dev/nvidia-uvm-tools w, @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, @@ -47,6 +45,8 @@ profile child-modprobe-nvidia { owner /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset w, + /dev/nvidia-uvm w, + /dev/nvidia-uvm-tools w, /dev/nvidia@{int} rw, /dev/nvidiactl rw, owner /dev/nvidia-caps/ w,