Vincas Dargis 8e50c351e1 nvidia_modprobe: update for driver families and /sys path ... Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ | grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" | sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials.		2023-02-11 19:42:58 +02:00
..
apparmor/profiles/extras	postfix-tlsmgr: allow reading openssl.cnf	2023-02-07 12:48:33 +01:00
apparmor.d	nvidia_modprobe: update for driver families and /sys path	2023-02-11 19:42:58 +02:00
Makefile	Check if extra profiles have a local/ include	2023-02-02 13:33:58 +01:00