[apparmor] Note: NVIDIA drivers are mapping user-writable files by default
Jamie Strandboge
jamie at canonical.com
Mon Feb 12 17:40:00 UTC 2018
On Sun, 2018-02-11 at 12:42 +0200, Vincas Dargis wrote:
> On 2/8/18 11:25 PM, Jamie Strandboge wrote:
> > >
>
...
> So to wrap up, plan would be:
>
> 1. Move `abstactions/nvidia` content into `nvidia-strict`.
> `nvidia-strict` should have comment that it does not provide some
> NVIDIA
> optimizations and some `deny` rules are recommended to be added
> manually. Else, suggest to use `nvidia` if really needed.
>
> 2. Create new `abstractions/nvidia` that includes `nvidia-strict`.
> Add a
> _big_ warning documenting that it provides NVIDIA optimization that
> could potentially reduce security, suggest to use `nvidia-strict`
> for
> non-performance-critical applications instead.
>
> In the future:
>
> 3. Deny these optimizations in `nvidia-strict` by default, add
> overrides
> into `nvidia` abstraction when that's becomes possible.
>
> ACK?
>
> Any more alternatives?
>
> [0] https://gitlab.com/apparmor/apparmor/wikis/home#description
This is what I initially recommended but based on your later
investigations I later recommended something different. I now suggest
simply:
1. update the nvidia abstraction to have comment that it does not
provide some NVIDIA optimizations and to either add `deny` rules
manually to silence the denials or add allow rules if want the
optimizations. Both sets of rules would be commented out in the nvidia
abstraction under the aforementioned comment.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180212/8e8b382a/attachment.sig>
More information about the AppArmor
mailing list