mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
677051bd02
Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ | grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" | sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/983 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit94d2faab71)8e50c351nvidia_modprobe: update for driver families and /sys path
67 lines
1.2 KiB
Text
67 lines
1.2 KiB
Text
# vim:syntax=apparmor
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile nvidia_modprobe {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability chown,
|
|
capability mknod,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/nvidia-modprobe mr,
|
|
|
|
# Other executables
|
|
|
|
/usr/bin/kmod Cx -> kmod,
|
|
|
|
# System files
|
|
|
|
/dev/nvidia-modeset w,
|
|
/dev/nvidia-uvm w,
|
|
/dev/nvidia-uvm-tools w,
|
|
@{sys}/bus/pci/devices/ r,
|
|
@{sys}/devices/pci[0-9]*/**/config r,
|
|
@{PROC}/devices r,
|
|
@{PROC}/driver/nvidia/params r,
|
|
@{PROC}/modules r,
|
|
@{PROC}/sys/kernel/modprobe r,
|
|
|
|
# Child profiles
|
|
|
|
profile kmod {
|
|
include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability sys_module,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/kmod mrix,
|
|
|
|
# Other executables
|
|
|
|
/{,usr/}bin/{,ba,da}sh ix,
|
|
|
|
# System files
|
|
|
|
/etc/modprobe.d/{,*.conf} r,
|
|
/etc/nvidia/{current,legacy*,tesla*}/*.conf r,
|
|
@{sys}/module/ipmi_devintf/initstate r,
|
|
@{sys}/module/ipmi_msghandler/initstate r,
|
|
@{sys}/module/{drm,nvidia}/initstate r,
|
|
@{PROC}/cmdline r,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/nvidia_modprobe>
|
|
}
|
|
|