[apparmor] About ~/.cache/mesa_shader_cache/
Vincas Dargis
vindrg at gmail.com
Sat Jun 16 18:27:53 UTC 2018
Hi mesa-users,
Side note: I'm adding AppArmor mailing list to CC because this
particular question is related to application confinement.
After recent Mesa-related upgrades in Debian Sid I've discovered that
some applications now requires access to ~/.cache/mesa_shader_cache/*
files, and because of that there is a need for the action to update
AppArmor profiles accordingly.
For example, Debian bug #901471 [0] reports that Thunderbird's AppArmor
profile should be updated as currently it blocks access to the cache.
After some monitoring I've discovered that some more applications needs
access to this cache too. If I run `sudo sysdig "fd.name contains
mesa_shader_cache"` I get list of applications while my KDE desktop
loads up after login (cleaned up output):
```
151409 18:49:41.211951605 7 ksplashqml (2928) < openat
fd=15(<f>/home/vincas/.cache/mesa_shader_cache/index)
429783 18:49:41.271510197 1 Xorg (1486) < openat
fd=17(<f>/root/.cache/mesa_shader_cache/41/ff7c9f54d65a8f742da917b5e1dfea98127500)
653552 18:49:41.318747530 7 ksplashqml (2928) < openat
fd=18(<f>/home/vincas/.cache/mesa_shader_cache/18/5d3f4867a025fdb21b5c4de0b14a38e29f87b9)
3161693 18:49:42.479339801 7 krunner (3020) < openat
fd=10(<f>/home/vincas/.cache/mesa_shader_cache/index)
3439202 18:49:42.759065546 5 yakuake (3082) < openat
fd=13(<f>/home/vincas/.cache/mesa_shader_cache/index)
6156946 18:49:43.652468504 3 plasmashell (3023) < openat
fd=17(<f>/home/vincas/.cache/mesa_shader_cache/index)
42286927 18:51:27.568422305 4 firefox (3905) < openat
fd=6(<f>/home/vincas/.cache/mesa_shader_cache/index)
... and so on...
```
What is interesting for me, that though there are quite some
applications that access `mesa_shader_cache`, it's note like _all_
applications would do that.
For example, Kate (KDE Framerworks/QT-based text editor) accesses it,
but xclock or gnote (GTK-based notes) does not. Thunderbird is not
Qt-based application (as Kate is), but it needs access too.
Basically, could you enlighten me on when to expect application to
access to this mesa_shader_cache? Is it any application what uses any
kind of OpenGL acceleration (not sure why Kate or Thunderbird would need
that)? Some other graphics-related API's (I'm not an expert here)?
Should we expect this with Nouveau, AMD graphics too (It's Intel in my
case where I've discovered this behavior)?
Could it be only Intel-specific (Thunderbird's stack shows
`i965_dri.so`, see [0]), or whole-mesa-specific?
I would like to propose appropriate changes to AppArmor
profiles/abstractions to fix current denied access to this cache when
needed. But this implies.. naming, documenting things, and I am not sure
if these changes in AppArmor should be handled as X-related,
Mesa-related, Intel-related, some-specific-API-related, etc, etc.
Thanks!
[0] https://bugs.debian.org/901471
More information about the AppArmor
mailing list