From 53f3a27e16ea721d137940cecfdc7ebf9c88e2c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Dec 2023 18:36:58 +0000 Subject: [PATCH] feat(abs): add a new set of graphics absractions. --- apparmor.d/abstractions/graphics | 24 +++++++++++++++++++ apparmor.d/abstractions/graphics-full | 15 ++++++++++++ apparmor.d/abstractions/nvidia-strict | 34 +++++++++++++++++++++++++++ apparmor.d/abstractions/vulkan-strict | 26 ++++++++++++++++++++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/abstractions/graphics create mode 100644 apparmor.d/abstractions/graphics-full create mode 100644 apparmor.d/abstractions/nvidia-strict create mode 100644 apparmor.d/abstractions/vulkan-strict diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics new file mode 100644 index 00000000..84de8541 --- /dev/null +++ b/apparmor.d/abstractions/graphics @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + /etc/libva.conf r, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/online r, + @{sys}/devices/system/cpu/cpu@{int}/topology/* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full new file mode 100644 index 00000000..1bd52c54 --- /dev/null +++ b/apparmor.d/abstractions/graphics-full @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + @{bin}/nvidia-modprobe Px -> nvidia_modprobe, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + + include if exists diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict new file mode 100644 index 00000000..1dae338c --- /dev/null +++ b/apparmor.d/abstractions/nvidia-strict @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + + /usr/share/nvidia/nvidia-application-profiles-* r, + + /etc/nvidia/nvidia-application-profiles-* r, + /etc/vdpau_wrapper.cfg r, + + owner @{HOME}/.cache/nvidia/ w, + owner @{HOME}/.cache/nvidia/GLCache/ rw, + owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ComputeCache/ w, + owner @{HOME}/.nv/ComputeCache/** rw, + owner @{HOME}/.nv/ComputeCache/index rwk, + owner @{HOME}/.nv/nvidia-application-profiles-* r, + + @{sys}/devices/system/memory/block_size_bytes r, + + @{PROC}/driver/nvidia/params r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/modules r, + owner @{PROC}/@{pid}/comm r, + + /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/nvidia-modeset rw, + /dev/nvidia@{int} rw, + /dev/nvidiactl rw, + + include if exists diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict new file mode 100644 index 00000000..33f1d68a --- /dev/null +++ b/apparmor.d/abstractions/vulkan-strict @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/egl/egl_external_platform.d/{,*.json} r, + /usr/share/glvnd/egl_vendor.d/{,*.json} r, + /usr/share/libdrm/*.ids r, + /usr/share/vulkan/explicit_layer.d/{,*.json} r, + /usr/share/vulkan/icd.d/{,*.json} r, + /usr/share/vulkan/implicit_layer.d/{,*.json} r, + + /etc/glvnd/egl_vendor.d/{,*.json} r, + /etc/vulkan/explicit_layer.d/{,*.json} r, + /etc/vulkan/icd.d/{,*.json} r, + /etc/vulkan/implicit_layer.d/{,*.json} r, + + owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, + + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/devices/@{pci}/drm/ r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_{min,cur,max}_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, + @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, + + include if exists \ No newline at end of file