mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
e6dbe3bfd3
On Debian Sid we get this denial: ``` type=AVC msg=audit(1599065006.981:527): apparmor="DENIED" operation="mknod" profile="nvidia_modprobe" name="/dev/nvidia-modeset" pid=12969 comm="nvidia-modprobe" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 ``` Update nvidia_modprobe profile to allow creating device file.
67 lines
1.2 KiB
Text
67 lines
1.2 KiB
Text
# vim:syntax=apparmor
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile nvidia_modprobe {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability chown,
|
|
capability mknod,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/nvidia-modprobe mr,
|
|
|
|
# Other executables
|
|
|
|
/usr/bin/kmod Cx -> kmod,
|
|
|
|
# System files
|
|
|
|
/dev/nvidia-modeset w,
|
|
/dev/nvidia-uvm w,
|
|
/dev/nvidia-uvm-tools w,
|
|
@{sys}/bus/pci/devices/ r,
|
|
@{sys}/devices/pci[0-9]*/**/config r,
|
|
@{PROC}/devices r,
|
|
@{PROC}/driver/nvidia/params r,
|
|
@{PROC}/modules r,
|
|
@{PROC}/sys/kernel/modprobe r,
|
|
|
|
# Child profiles
|
|
|
|
profile kmod {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability sys_module,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/kmod mrix,
|
|
|
|
# Other executables
|
|
|
|
/{,usr/}bin/{,ba,da}sh ix,
|
|
|
|
# System files
|
|
|
|
/etc/modprobe.d/{,*.conf} r,
|
|
/etc/nvidia/current/*.conf r,
|
|
@{sys}/module/ipmi_devintf/initstate r,
|
|
@{sys}/module/ipmi_msghandler/initstate r,
|
|
@{sys}/module/nvidia/initstate r,
|
|
@{PROC}/cmdline r,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/nvidia_modprobe>
|
|
}
|
|
|