feat(abs): add a new set of graphics absractions.

2025-01-18 00:48:10 +01:00 · 2023-12-19 18:36:58 +00:00 · 2023-12-19 18:36:58 +00:00 · 53f3a27e16
commit 53f3a27e16
parent df20d29832
4 changed files with 99 additions and 0 deletions
--- a/apparmor.d/abstractions/graphics
+++ b/apparmor.d/abstractions/graphics
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+  include <abstractions/dri>
+  include <abstractions/mesa>
+  include <abstractions/nvidia-strict>
+  include <abstractions/vulkan-strict>
+
+  /etc/libva.conf r,
+
+  @{sys}/bus/pci/devices/ r,
+  @{sys}/devices/system/cpu/ r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
+  @{sys}/devices/system/cpu/cpu@{int}/online r,
+  @{sys}/devices/system/cpu/cpu@{int}/topology/* r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,
+  @{sys}/devices/system/cpu/present r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+  include if exists <abstractions/graphics.d>
--- a/apparmor.d/abstractions/graphics-full
+++ b/apparmor.d/abstractions/graphics-full
@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+  include <abstractions/graphics>
+
+  @{bin}/nvidia-modprobe Px -> nvidia_modprobe,
+
+  /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+
+  include if exists <abstractions/graphics-full.d>
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+
+  /usr/share/nvidia/nvidia-application-profiles-* r,
+
+  /etc/nvidia/nvidia-application-profiles-* r,
+  /etc/vdpau_wrapper.cfg r,
+
+  owner @{HOME}/.cache/nvidia/ w,
+  owner @{HOME}/.cache/nvidia/GLCache/ rw,
+  owner @{HOME}/.cache/nvidia/GLCache/** rwk,
+  owner @{HOME}/.nv/ComputeCache/ w,
+  owner @{HOME}/.nv/ComputeCache/** rw,
+  owner @{HOME}/.nv/ComputeCache/index rwk,
+  owner @{HOME}/.nv/nvidia-application-profiles-* r,
+
+  @{sys}/devices/system/memory/block_size_bytes r,
+
+        @{PROC}/driver/nvidia/params r,
+        @{PROC}/sys/vm/max_map_count r,
+        @{PROC}/sys/vm/mmap_min_addr r,
+        @{PROC}/modules r,
+  owner @{PROC}/@{pid}/comm r,
+
+  /dev/char/195:@{int} w,  # Nvidia graphics devices
+  /dev/nvidia-modeset rw,
+  /dev/nvidia@{int} rw,
+  /dev/nvidiactl rw,
+
+  include if exists <abstractions/nvidia-strict.d>
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  /usr/share/egl/egl_external_platform.d/{,*.json} r,
+  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+  /usr/share/libdrm/*.ids r,
+  /usr/share/vulkan/explicit_layer.d/{,*.json} r,
+  /usr/share/vulkan/icd.d/{,*.json} r,
+  /usr/share/vulkan/implicit_layer.d/{,*.json} r,
+
+  /etc/glvnd/egl_vendor.d/{,*.json} r,
+  /etc/vulkan/explicit_layer.d/{,*.json} r,
+  /etc/vulkan/icd.d/{,*.json} r,
+  /etc/vulkan/implicit_layer.d/{,*.json} r,
+
+  owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
+
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/devices/@{pci}/drm/ r,
+  @{sys}/devices/@{pci}/drm/card@{int}/gt_{min,cur,max}_freq_mhz r,
+  @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r,
+  @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r,
+
+  include if exists <abstractions/vulkan-strict.d>