[apparmor] About ~/.cache/mesa_shader_cache/

Vincas Dargis vindrg at gmail.com
Sat Jun 16 18:27:53 UTC 2018


Hi mesa-users,

Side note: I'm adding AppArmor mailing list to CC because this 
particular question is related to application confinement.

After recent Mesa-related upgrades in Debian Sid I've discovered that 
some applications now requires access to ~/.cache/mesa_shader_cache/* 
files, and because of that there is a need for the action to update 
AppArmor profiles accordingly.

For example, Debian bug #901471 [0] reports that Thunderbird's AppArmor 
profile should be updated as currently it blocks access to the cache.

After some monitoring I've discovered that some more applications needs 
access to this cache too. If I run `sudo sysdig "fd.name contains 
mesa_shader_cache"` I get list of applications while my KDE desktop 
loads up after login (cleaned up output):

```
151409 18:49:41.211951605 7 ksplashqml (2928) < openat 
fd=15(<f>/home/vincas/.cache/mesa_shader_cache/index)

429783 18:49:41.271510197 1 Xorg (1486) < openat 
fd=17(<f>/root/.cache/mesa_shader_cache/41/ff7c9f54d65a8f742da917b5e1dfea98127500) 


653552 18:49:41.318747530 7 ksplashqml (2928) < openat 
fd=18(<f>/home/vincas/.cache/mesa_shader_cache/18/5d3f4867a025fdb21b5c4de0b14a38e29f87b9) 


3161693 18:49:42.479339801 7 krunner (3020) < openat 
fd=10(<f>/home/vincas/.cache/mesa_shader_cache/index)

3439202 18:49:42.759065546 5 yakuake (3082) < openat 
fd=13(<f>/home/vincas/.cache/mesa_shader_cache/index)

6156946 18:49:43.652468504 3 plasmashell (3023) < openat 
fd=17(<f>/home/vincas/.cache/mesa_shader_cache/index)

42286927 18:51:27.568422305 4 firefox (3905) < openat 
fd=6(<f>/home/vincas/.cache/mesa_shader_cache/index)

... and so on...

```

What is interesting for me, that though there are quite some 
applications that access `mesa_shader_cache`, it's note like _all_ 
applications would do that.

For example, Kate (KDE Framerworks/QT-based text editor) accesses it, 
but xclock or gnote (GTK-based notes) does not. Thunderbird is not 
Qt-based application (as Kate is), but it needs access too.

Basically, could you enlighten me on when to expect application to 
access to this mesa_shader_cache? Is it any application what uses any 
kind of OpenGL acceleration (not sure why Kate or Thunderbird would need 
that)? Some other graphics-related API's (I'm not an expert here)?

Should we expect this with Nouveau, AMD graphics too (It's Intel in my 
case where I've discovered this behavior)?

Could it be only Intel-specific (Thunderbird's stack shows 
`i965_dri.so`, see [0]), or whole-mesa-specific?

I would like to propose appropriate changes to AppArmor 
profiles/abstractions to fix current denied access to this cache when 
needed. But this implies.. naming, documenting things, and I am not sure 
if these changes in AppArmor should be handled as X-related, 
Mesa-related, Intel-related, some-specific-API-related, etc, etc.

Thanks!

[0] https://bugs.debian.org/901471



More information about the AppArmor mailing list