[apparmor] Note: NVIDIA drivers are mapping user-writable files by default
Vincas Dargis
vindrg at gmail.com
Sat Feb 17 16:08:43 UTC 2018
On 2/17/18 12:12 AM, John Johansen wrote:
> On 02/16/2018 12:50 PM, Vincas Dargis wrote:
>> If we stick to this conditionals approach, I believe we are targeting fix for this NVIDIA issue in no earlier than AppArmor 3.1 I guess?
>>
>> This being said, can (and should) we do anything "now", for upcoming Ubuntu 18.04 LTS, and anyone else being annoyed by these DENIED messages?
>>
>> Maybe we just add appropriate `allow` rules into `<abstractions/nvidia>`, probably reducing security for some applications without real need too much, but with the agreement that this temporary "over-permissiveness" is going to be fixed in the future, by updating `<abstractions/nvidia>` to have these conditionals with error/assert messages?
>>
>> Tails or anyone else could just patch <abstractions/nvidia> or specific application profile to add explicit denies on the top if needed.
>
> well error and warn are small patches we could certainly sneak into 3.0
>
> I do think addressing it temporarily is the way to go, whether it is by doing the above without the error statement or just going with temporary "over-permissiveness"
>
> another thought on the error and warn statements is that they could be
>
> #error message
> and
> #warn message
>
>
> so that they could be added now and just ignored as comments in earlier versions of apparmor
>
So the idea is to wait for 3.0 (BETA?) to implement this long-topic
NVIDIA issue then? That would be really nice way, I guess, to fix this
in one go, instead of "temporar-stuff-and-real-fix-later".
More information about the AppArmor
mailing list