mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
5642 commits 23 branches 109 tags 32 MiB
Commit graph

7 commits

Author SHA1 Message Date
Vincas Dargis
e6dbe3bfd3 nvidia_modprobe: allow creating /dev/nvidia-modeset 
On Debian Sid we get this denial:

```
type=AVC msg=audit(1599065006.981:527): apparmor="DENIED"
operation="mknod" profile="nvidia_modprobe" name="/dev/nvidia-modeset"
pid=12969 comm="nvidia-modprobe" requested_mask="c" denied_mask="c"
fsuid=0 ouid=0
```

Update nvidia_modprobe profile to allow creating device file.
 2020-09-03 18:20:33 +03:00
Vincas Dargis
a98a4f734f nvidia_modprobe: allow reading driver parameters 
On Debian Sid nvidia_modprobe is not permissive enough:

```
type=AVC msg=audit(1598788812.837:495): apparmor="DENIED"
operation="open" profile="nvidia_modprobe"
name="/proc/driver/nvidia/params" pid=31586 comm="nvidia-modprobe"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```

Update profile to all reading /proc/driver/nvidia/params

Fixes Debian bug 969267 [0]

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969267
 2020-08-30 19:24:29 +03:00
Christian Boltz
f0491d0d64
Change #include to include in active profiles 2020-06-09 23:30:24 +02:00
John Johansen
730db17607 policy: tag policy with the AppArmor 3.0 abi 
Tag profiles and abstractions with abi information.

Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.

We do not currently tag the tunables because variable declarations
are not currently affected by abi.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
 2020-05-29 00:23:17 -07:00
Christian Boltz
110d6d214c
switch local includes to "include if exists" 2020-05-03 22:01:13 +02:00
Vincas Dargis
2438179b76 Use @{sys} tunable in profiles and abstractions 
Commit aa06528790 made @{sys} tunable
available by default.

Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).

Closes LP#1728551
 2018-11-08 20:04:46 +02:00
Vincas Dargis
327420b151 Add nvidia_modprobe named profile 
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).

Add named profile to be used in application profiles for confining
potentially risky setuid application.
 2018-10-02 20:29:10 +03:00