[apparmor] Note: NVIDIA drivers are mapping user-writable files by default
John Johansen
john.johansen at canonical.com
Sat Feb 17 18:07:53 UTC 2018
On 02/17/2018 08:08 AM, Vincas Dargis wrote:
> On 2/17/18 12:12 AM, John Johansen wrote:
>> On 02/16/2018 12:50 PM, Vincas Dargis wrote:
>>> If we stick to this conditionals approach, I believe we are targeting fix for this NVIDIA issue in no earlier than AppArmor 3.1 I guess?
>>>
>>> This being said, can (and should) we do anything "now", for upcoming Ubuntu 18.04 LTS, and anyone else being annoyed by these DENIED messages?
>>>
>>> Maybe we just add appropriate `allow` rules into `<abstractions/nvidia>`, probably reducing security for some applications without real need too much, but with the agreement that this temporary "over-permissiveness" is going to be fixed in the future, by updating `<abstractions/nvidia>` to have these conditionals with error/assert messages?
>>>
>>> Tails or anyone else could just patch <abstractions/nvidia> or specific application profile to add explicit denies on the top if needed.
>>
>> well error and warn are small patches we could certainly sneak into 3.0
>>
>> I do think addressing it temporarily is the way to go, whether it is by doing the above without the error statement or just going with temporary "over-permissiveness"
>>
>> another thought on the error and warn statements is that they could be
>>
>> #error message
>> and
>> #warn message
>>
>>
>> so that they could be added now and just ignored as comments in earlier versions of apparmor
>>
>
> So the idea is to wait for 3.0 (BETA?) to implement this long-topic NVIDIA issue then? That would be really nice way, I guess, to fix this in one go, instead of "temporar-stuff-and-real-fix-later".
No the beta won't be a few weeks, I plan to kick out the error and warn patches this weekend, I expect we can have the fix in the beta
More information about the AppArmor
mailing list