Add OpenCL abstractions

profiles/apparmor.d/abstractions/opencl

@@ -0,0 +1,9 @@
+# vim:syntax=apparmor
+# OpenCL access requirements
+
+  # TODO: use conditionals to select allowed implementations
+  #include <abstractions/opencl-intel>
+  #include <abstractions/opencl-mesa>
+  #include <abstractions/opencl-nvidia>
+  #include <abstractions/opencl-pocl>
+

profiles/apparmor.d/abstractions/opencl-common

@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# implementation-independent OpenCL access requirements
+
+  # System files
+
+  /etc/OpenCL/** r,
+  /sys/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+  /sys/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+  /sys/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+

profiles/apparmor.d/abstractions/opencl-intel

@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Intel implementation
+
+  #include <abstractions/opencl-common>
+
+  # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
+  #include <abstractions/X>
+
+  # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
+  #include <abstractions/dri-enumerate>
+
+  # System files
+
+  /dev/dri/card[0-9]* rw, # beignet/libcl.so
+  /sys/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+  /usr/lib/@{multiarch}/beignet/** r,
+

profiles/apparmor.d/abstractions/opencl-mesa

@@ -0,0 +1,20 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Mesa implementation
+
+  #include <abstractions/opencl-common>
+
+  # Additional libraries
+
+  /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
+  /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
+
+  # System files
+
+  /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
+  /dev/dri/render* rw, # libMesaOpenCL.so
+  /etc/drirc r, # libMesaOpenCL.so
+
+  # User files
+
+  owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
+

profiles/apparmor.d/abstractions/opencl-nvidia

@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for NVIDIA implementation
+
+  #include <abstractions/nvidia>
+  #include <abstractions/opencl-common>
+
+  # Executables
+
+  /usr/bin/nvidia-modprobe PUx,
+
+  # System files
+
+  # libnvidia-opencl.so rules:
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+  /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/system/memory/block_size_bytes r,
+  /usr/share/nvidia/** r,
+  @{PROC}/devices r,
+  @{PROC}/sys/vm/mmap_min_addr r,
+
+  # User files
+
+  owner @{HOME}/.nv/ComputeCache/ w,
+  owner @{HOME}/.nv/ComputeCache/** rw,
+  owner @{HOME}/.nv/ComputeCache/index rwk,
+

profiles/apparmor.d/abstractions/opencl-pocl

@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for POCL implementation
+
+  #include <abstractions/opencl-common>
+
+  # Executables
+
+  /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
+  /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
+
+  # System files
+
+  / r, # libpocl.so -> libhwloc.so
+  /sys/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+  /sys/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+  /sys/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  /sys/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
+  /sys/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+  /sys/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+  /sys/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  /sys/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+  /sys/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+  /sys/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+  /sys/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+  /sys/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+  /sys/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+  /sys/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+  /sys/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+  /sys/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+  /usr/share/pocl/** r,
+  /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+
+  # User files
+
+  owner @{HOME}/.cache/pocl/ w,
+  owner @{HOME}/.cache/pocl/kcache/ w,
+  owner @{HOME}/.cache/pocl/kcache/** rw,
+  owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
+
+  # Child profiles
+
+  profile opencl_pocl_ld {
+    #include <abstractions/base>
+
+    # Main executables
+
+    /usr/bin/{,@{multiarch}-}ld.bfd mr,
+
+    # User files
+
+    owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
+    owner @{HOME}/.cache/pocl/kcache/**.so.o r,
+  }
+
+  profile opencl_pocl_clang {
+    #include <abstractions/base>
+
+    # Main executables
+
+    /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
+
+    # Additional executables
+
+    //usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
+
+    # System files
+
+    /etc/debian-version r,
+    /etc/lsb-release r,
+
+    # User files
+
+    owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
+  }
+