apparmor/profiles/apparmor.d/nvidia_modprobe

# vim:syntax=apparmor

abi <abi/4.0>,

include <tunables/global>

profile nvidia_modprobe {
  include <abstractions/base>

  # Capabilities

  capability chown,
  capability mknod,
  capability setuid,
  capability sys_admin,

  # Main executable

  /usr/bin/nvidia-modprobe mr,

  # Other executables

  /usr/bin/kmod Cx -> kmod,

  # System files

  /dev/nvidia-modeset w,
  /dev/nvidia-uvm w,
  /dev/nvidia-uvm-tools w,
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/pci[0-9]*/**/config r,
  @{PROC}/devices r,
  @{PROC}/driver/nvidia/params r,
  @{PROC}/modules r,
  @{PROC}/sys/kernel/modprobe r,

  # Child profiles

  profile kmod {
    include <abstractions/base>

    # Capabilities

    capability sys_module,

    # Main executable

    /usr/bin/kmod mrix,

    # Other executables

    /{,usr/}bin/{,ba,da}sh ix,

    # System files

    /etc/modprobe.d/{,*.conf} r,
    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
    @{sys}/module/ipmi_devintf/initstate r,
    @{sys}/module/ipmi_msghandler/initstate r,
    @{sys}/module/{drm,nvidia}/initstate r,
    @{PROC}/cmdline r,
  }

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/nvidia_modprobe>
}
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`# vim:syntax=apparmor`

policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-06-30 23:36:12 -07:00			`abi <abi/4.0>,`
policy: tag policy with the AppArmor 3.0 abi Tag profiles and abstractions with abi information. Tagging abstractions is not strictly necessary but allows the parser to detect when their is a mismatch and that policy will need an update for abi. We do not currently tag the tunables because variable declarations are not currently affected by abi. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com> 2020-05-05 00:08:39 -07:00
Change `#include` to `include` in active profiles 2020-06-09 23:30:24 +02:00			`include <tunables/global>`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00
			`profile nvidia_modprobe {`
Change `#include` to `include` in active profiles 2020-06-09 23:30:24 +02:00			`include <abstractions/base>`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00
			`# Capabilities`

			`capability chown,`
			`capability mknod,`
			`capability setuid,`
			`capability sys_admin,`

			`# Main executable`

			`/usr/bin/nvidia-modprobe mr,`

			`# Other executables`

			`/usr/bin/kmod Cx -> kmod,`

			`# System files`

nvidia_modprobe: allow creating /dev/nvidia-modeset On Debian Sid we get this denial: ``` type=AVC msg=audit(1599065006.981:527): apparmor="DENIED" operation="mknod" profile="nvidia_modprobe" name="/dev/nvidia-modeset" pid=12969 comm="nvidia-modprobe" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 ``` Update nvidia_modprobe profile to allow creating device file. 2020-09-03 18:20:33 +03:00			`/dev/nvidia-modeset w,`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`/dev/nvidia-uvm w,`
			`/dev/nvidia-uvm-tools w,`
Use @{sys} tunable in profiles and abstractions Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable available by default. Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var). Closes LP#1728551 2018-11-08 20:00:45 +02:00			`@{sys}/bus/pci/devices/ r,`
			`@{sys}/devices/pci[0-9]/*/config r,`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`@{PROC}/devices r,`
nvidia_modprobe: allow reading driver parameters On Debian Sid nvidia_modprobe is not permissive enough: ``` type=AVC msg=audit(1598788812.837:495): apparmor="DENIED" operation="open" profile="nvidia_modprobe" name="/proc/driver/nvidia/params" pid=31586 comm="nvidia-modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` Update profile to all reading /proc/driver/nvidia/params Fixes Debian bug 969267 [0] [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969267 2020-08-30 19:24:29 +03:00			`@{PROC}/driver/nvidia/params r,`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`@{PROC}/modules r,`
			`@{PROC}/sys/kernel/modprobe r,`

			`# Child profiles`

			`profile kmod {`
Change `#include` to `include` in active profiles 2020-06-09 23:30:24 +02:00			`include <abstractions/base>`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00
			`# Capabilities`

			`capability sys_module,`

			`# Main executable`

			`/usr/bin/kmod mrix,`

			`# Other executables`

			`/{,usr/}bin/{,ba,da}sh ix,`

			`# System files`

			`/etc/modprobe.d/{,*.conf} r,`
nvidia_modprobe: update for driver families and /sys path Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ \| grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" \| sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials. 2023-02-11 19:42:58 +02:00			`/etc/nvidia/{current,legacy,tesla}/*.conf r,`
Use @{sys} tunable in profiles and abstractions Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable available by default. Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var). Closes LP#1728551 2018-11-08 20:00:45 +02:00			`@{sys}/module/ipmi_devintf/initstate r,`
			`@{sys}/module/ipmi_msghandler/initstate r,`
nvidia_modprobe: update for driver families and /sys path Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ \| grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" \| sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials. 2023-02-11 19:42:58 +02:00			`@{sys}/module/{drm,nvidia}/initstate r,`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`@{PROC}/cmdline r,`
			`}`

			`# Site-specific additions and overrides. See local/README for details.`
switch local includes to "include if exists" 2020-04-28 22:25:27 +02:00			`include if exists <local/nvidia_modprobe>`
Add nvidia_modprobe named profile nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. 2018-09-30 14:17:30 +03:00			`}`