mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
67 lines
1.2 KiB
Text
67 lines
1.2 KiB
Text
# vim:syntax=apparmor
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile nvidia_modprobe {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability chown,
|
|
capability mknod,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/nvidia-modprobe mr,
|
|
|
|
# Other executables
|
|
|
|
/usr/bin/kmod Cx -> kmod,
|
|
|
|
# System files
|
|
|
|
/dev/nvidia-modeset w,
|
|
/dev/nvidia-uvm w,
|
|
/dev/nvidia-uvm-tools w,
|
|
@{sys}/bus/pci/devices/ r,
|
|
@{sys}/devices/pci[0-9]*/**/config r,
|
|
@{PROC}/devices r,
|
|
@{PROC}/driver/nvidia/params r,
|
|
@{PROC}/modules r,
|
|
@{PROC}/sys/kernel/modprobe r,
|
|
|
|
# Child profiles
|
|
|
|
profile kmod {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability sys_module,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/kmod mrix,
|
|
|
|
# Other executables
|
|
|
|
/{,usr/}bin/{,ba,da}sh ix,
|
|
|
|
# System files
|
|
|
|
/etc/modprobe.d/{,*.conf} r,
|
|
/etc/nvidia/{current,legacy*,tesla*}/*.conf r,
|
|
@{sys}/module/ipmi_devintf/initstate r,
|
|
@{sys}/module/ipmi_msghandler/initstate r,
|
|
@{sys}/module/{drm,nvidia}/initstate r,
|
|
@{PROC}/cmdline r,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/nvidia_modprobe>
|
|
}
|
|
|