Merge branch 'opencl-nvidia-update' into 'master'

Use nvidia_modprobe named profile inside opencl-nvidia abstraction Commit 8f9bd5b0 rightfully removed PUx transition into nvidia-modprobe executable due to security concerns. To overcome this, commit 327420b1 added named nvidia_modprobe profile, which allows to use this abstraction without requiring additional rules to make OpenCL work with NVIDIA drivers. Add rule to allow Px transition into nvidia_modprobe profile for nvidia-modprobe executable. I propose this for 2.13..master (opencl* are only available in 2.13...). Please check if nvidia_modprobe is already backported. https://gitlab.com/apparmor/apparmor/merge_requests/219 Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2018-10-05 06:46:43 +00:00 · 2018-10-05 06:46:43 +00:00 · 5718aa04ed
commit 5718aa04ed
parent 97c1591f0e e4b1cadf63
1 changed files with 2 additions and 5 deletions
--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@ -8,11 +8,8 @@

  # https://github.com/NVIDIA/nvidia-modprobe
  # This setuid executable is used to create various device files and load the
-  # the nvidia kernel module and is therefore not appropriate for a general
-  # purpose abstraction. Confined applications currently need to add this rule
-  # in their policy. At some point, a profile may be provided for this command
-  # such that Px would succeed.
-  #/usr/bin/nvidia-modprobe Pix,
+  # the nvidia kernel module.
+  /usr/bin/nvidia-modprobe Px -> nvidia_modprobe,

  # System files