[apparmor] Note: NVIDIA drivers are mapping user-writable files by default
Vincas Dargis
vindrg at gmail.com
Fri Feb 16 14:44:56 UTC 2018
On 2/11/18 11:38 PM, John Johansen wrote:
> On 02/11/2018 02:42 AM, Vincas Dargis wrote:
>> So to wrap up, plan would be:
>>
>> 1. Move `abstactions/nvidia` content into `nvidia-strict`. `nvidia-strict` should have comment that it does not provide some NVIDIA optimizations and some `deny` rules are recommended to be added manually. Else, suggest to use `nvidia` if really needed.
>>
>> 2. Create new `abstractions/nvidia` that includes `nvidia-strict`. Add a _big_ warning documenting that it provides NVIDIA optimization that could potentially reduce security, suggest to use `nvidia-strict` for non-performance-critical applications instead.
>>
>> In the future:
>>
>> 3. Deny these optimizations in `nvidia-strict` by default, add overrides into `nvidia` abstraction when that's becomes possible.
>>
>> ACK?
>>
>> Any more alternatives?
>>
>> [0] https://gitlab.com/apparmor/apparmor/wikis/home#description
>>
>
> I'm not against the plan, I do worry about being too strict causing problems, and I think the tunable + conditional might (I am not sure yet) a better way to go
Could you give example how this tunable + conditional would look like?
Would this be per-machine or per policy decision (probably the latter)?
Now for the Jamie suggestion:
On 2/12/18 7:40 PM, Jamie Strandboge wrote:
> This is what I initially recommended but based on your later
> investigations I later recommended something different. I now suggest
> simply:
>
> 1. update the nvidia abstraction to have comment that it does not
> provide some NVIDIA optimizations and to either add `deny` rules
> manually to silence the denials or add allow rules if want the
> optimizations. Both sets of rules would be commented out in the nvidia
> abstraction under the aforementioned comment.
>
Sorry, I misunderstood your suggestion. So it's basically approach using
documentation only?
There could be another approach without "deny and then override" that
John didn't show affection for:
1. <abstractons/nvidia> Left unchanged, except maybe adding info about
missing permissions for possibly unsafe optimization, hint how to fix that
2.a new <abstractions/nvidia-with-optimizations> abstraction that
includes <abstractions/nvidia> and allows rules for optimizations.
2.b new <abstractions/nvidia-without-optimizations> abstraction that
includes <abstractions/nvidia> and denies optmiziations.
usr.bin.thunderbird could be updated to change "nvidia" into
"nvidia-without-optimizations" and "usr.lib.ioquake3.ioquake3" could be
updated to include "nvidia-with-optimizations" instead.
Now I'm still interested in that "tunable + conditiona"l, though I would
like to see how that would work. It smells like something more modern
and cleaner approach? :)
More information about the AppArmor
mailing list