[apparmor] [Mesa-users] About ~/.cache/mesa_shader_cache/
Brian Paul
brianp at vmware.com
Mon Jun 18 13:04:46 UTC 2018
On 06/16/2018 12:27 PM, Vincas Dargis wrote:
> Hi mesa-users,
>
> Side note: I'm adding AppArmor mailing list to CC because this
> particular question is related to application confinement.
>
> After recent Mesa-related upgrades in Debian Sid I've discovered that
> some applications now requires access to ~/.cache/mesa_shader_cache/*
> files, and because of that there is a need for the action to update
> AppArmor profiles accordingly.
>
> For example, Debian bug #901471 [0] reports that Thunderbird's AppArmor
> profile should be updated as currently it blocks access to the cache.
>
> After some monitoring I've discovered that some more applications needs
> access to this cache too. If I run `sudo sysdig "fd.name contains
> mesa_shader_cache"` I get list of applications while my KDE desktop
> loads up after login (cleaned up output):
>
> ```
> 151409 18:49:41.211951605 7 ksplashqml (2928) < openat
> fd=15(<f>/home/vincas/.cache/mesa_shader_cache/index)
>
> 429783 18:49:41.271510197 1 Xorg (1486) < openat
> fd=17(<f>/root/.cache/mesa_shader_cache/41/ff7c9f54d65a8f742da917b5e1dfea98127500)
>
>
> 653552 18:49:41.318747530 7 ksplashqml (2928) < openat
> fd=18(<f>/home/vincas/.cache/mesa_shader_cache/18/5d3f4867a025fdb21b5c4de0b14a38e29f87b9)
>
>
> 3161693 18:49:42.479339801 7 krunner (3020) < openat
> fd=10(<f>/home/vincas/.cache/mesa_shader_cache/index)
>
> 3439202 18:49:42.759065546 5 yakuake (3082) < openat
> fd=13(<f>/home/vincas/.cache/mesa_shader_cache/index)
>
> 6156946 18:49:43.652468504 3 plasmashell (3023) < openat
> fd=17(<f>/home/vincas/.cache/mesa_shader_cache/index)
>
> 42286927 18:51:27.568422305 4 firefox (3905) < openat
> fd=6(<f>/home/vincas/.cache/mesa_shader_cache/index)
>
> ... and so on...
>
> ```
>
> What is interesting for me, that though there are quite some
> applications that access `mesa_shader_cache`, it's note like _all_
> applications would do that.
>
> For example, Kate (KDE Framerworks/QT-based text editor) accesses it,
> but xclock or gnote (GTK-based notes) does not. Thunderbird is not
> Qt-based application (as Kate is), but it needs access too.
>
> Basically, could you enlighten me on when to expect application to
> access to this mesa_shader_cache? Is it any application what uses any
> kind of OpenGL acceleration (not sure why Kate or Thunderbird would need
> that)? Some other graphics-related API's (I'm not an expert here)?
>
> Should we expect this with Nouveau, AMD graphics too (It's Intel in my
> case where I've discovered this behavior)?
>
> Could it be only Intel-specific (Thunderbird's stack shows
> `i965_dri.so`, see [0]), or whole-mesa-specific?
>
> I would like to propose appropriate changes to AppArmor
> profiles/abstractions to fix current denied access to this cache when
> needed. But this implies.. naming, documenting things, and I am not sure
> if these changes in AppArmor should be handled as X-related,
> Mesa-related, Intel-related, some-specific-API-related, etc, etc.
This is not a feature that I've personally worked on, but basically, any
application which uses OpenGL (Mesa) might try to use the shader cache
directory. Also, some drivers might use it while others don't. Since
that will probably change over time, I would not filter by GPU type.
Most OpenGL apps link with libGL.so so you can often check with 'ldd'.
But some OpenGL apps use dlopen() / dlsym() instead.
-Brian
More information about the AppArmor
mailing list