Add nvidia_modprobe named profile

nvidia-modprobe is setuid executable is used to create various device files and load the the NVIDIA kernel module (https://github.com/NVIDIA/nvidia-modprobe). Add named profile to be used in application profiles for confining potentially risky setuid application. PR: https://gitlab.com/apparmor/apparmor/merge_requests/213 (cherry picked from commit 327420b151) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-30 22:05:27 +00:00 · 2018-09-30 14:17:30 +03:00
parent 17d3831d2d
commit a70c80a80f
1 changed files with 63 additions and 0 deletions
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@@ -0,0 +1,63 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+profile nvidia_modprobe {
+  #include <abstractions/base>
+
+  # Capabilities
+
+  capability chown,
+  capability mknod,
+  capability setuid,
+  capability sys_admin,
+
+  # Main executable
+
+  /usr/bin/nvidia-modprobe mr,
+
+  # Other executables
+
+  /usr/bin/kmod Cx -> kmod,
+
+  # System files
+
+  /dev/nvidia-uvm w,
+  /dev/nvidia-uvm-tools w,
+  /sys/bus/pci/devices/ r,
+  /sys/devices/pci[0-9]*/**/config r,
+  @{PROC}/devices r,
+  @{PROC}/modules r,
+  @{PROC}/sys/kernel/modprobe r,
+
+  # Child profiles
+
+  profile kmod {
+    #include <abstractions/base>
+
+    # Capabilities
+
+    capability sys_module,
+
+    # Main executable
+
+    /usr/bin/kmod mrix,
+
+    # Other executables
+
+    /{,usr/}bin/{,ba,da}sh ix,
+
+    # System files
+
+    /etc/modprobe.d/{,*.conf} r,
+    /etc/nvidia/current/*.conf r,
+    /sys/module/ipmi_devintf/initstate r,
+    /sys/module/ipmi_msghandler/initstate r,
+    /sys/module/nvidia/initstate r,
+    @{PROC}/cmdline r,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/nvidia_modprobe>
+}
+