mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

profiles: make /sys/devices PCI paths hex-aware

Browse Source
This commit is contained in:
Keifer Snedeker 2025-07-21 13:36:42 -04:00
parent 520db7a16c
commit b6ad58bbbe
15 changed files with 46 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
profiles/apparmor.d/Xorg
View File

@ -86,7 +86,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
@{sys}/devices/** r, @{sys}/devices/** r,
@{sys}/module/** r, @{sys}/module/** r,
@{sys}/devices/pci*/**/backlight/*/brightness rw, @{sys}/devices/@{pci_bus}/**/backlight/*/brightness rw,
# Display managers # Display managers
@{run}/user/@{uid}/gdm/* r, @{run}/user/@{uid}/gdm/* r,
@ -135,7 +135,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
# When running without a kernel mode-setting (KMS) driver, Xorg may need # When running without a kernel mode-setting (KMS) driver, Xorg may need
# these additional permissions. DO NOT enable these unless necessary! # these additional permissions. DO NOT enable these unless necessary!
#nokms#/dev/mem rw, #nokms#/dev/mem rw,
#nokms#@{sys}/devices/pci[0-9]*/*/*/resource[0-9] w, #nokms#@{sys}/devices/@{pci_bus}/*/*/resource[0-9] w,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
include if exists <local/Xorg> include if exists <local/Xorg>

2
profiles/apparmor.d/abstractions/dri-enumerate
View File

@ -6,7 +6,7 @@
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm). # libdrm).
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, @{sys}/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction # Include additions to the abstraction

2
profiles/apparmor.d/abstractions/mesa
View File

@ -12,7 +12,7 @@
# (src/intel/perf/gen_perf.c, load_oa_metrics()) # (src/intel/perf/gen_perf.c, load_oa_metrics())
@{PROC}/sys/dev/i915/perf_stream_paranoid r, @{PROC}/sys/dev/i915/perf_stream_paranoid r,
@{sys}/devices/pci[0-9]*/**/{revision,config} r, @{sys}/devices/@{pci_bus}/**/{revision,config} r,
# User files # User files
owner @{HOME}/.cache/ w, # if user clears all caches owner @{HOME}/.cache/ w, # if user clears all caches

2
profiles/apparmor.d/abstractions/opencl-intel
View File

@ -15,7 +15,7 @@
# System files # System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so /dev/dri/card[0-9]* rw, # beignet/libcl.so
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?) @{sys}/devices/@{pci_bus}/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r, /usr/lib/@{multiarch}/beignet/** r,

2
profiles/apparmor.d/abstractions/opencl-nvidia
View File

@ -19,7 +19,7 @@
# libnvidia-opencl.so rules: # libnvidia-opencl.so rules:
/dev/nvidia-uvm rw, /dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw, /dev/nvidia-uvm-tools rw,
@{sys}/devices/pci[0-9]*/**/config r, @{sys}/devices/@{pci_bus}/**/config r,
@{sys}/devices/system/memory/block_size_bytes r, @{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r, /usr/share/nvidia/** r,
@{PROC}/devices r, @{PROC}/devices r,

8
profiles/apparmor.d/abstractions/opencl-pocl
View File

@ -16,10 +16,10 @@
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so @{sys}/devices/@{pci_bus}/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so @{sys}/devices/@{pci_bus}/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so @{sys}/devices/@{pci_bus}/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so @{sys}/devices/@{pci_bus}/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so

4
profiles/apparmor.d/abstractions/video
View File

@ -9,8 +9,8 @@
owner /dev/shm/libv4l-* rw, owner /dev/shm/libv4l-* rw,
/dev/video[0-9]* rw, /dev/video[0-9]* rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r, @{sys}/devices/@{pci_bus}/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r, @{sys}/devices/@{pci_bus}/**/usb[0-9]/**/{modalias,speed} r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/product_{name,version} r, @{sys}/devices/virtual/dmi/id/product_{name,version} r,

8
profiles/apparmor.d/abstractions/vulkan
View File

@ -9,10 +9,10 @@
/etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/icd.d/{,*.json} r,
/etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r, /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
# for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa) # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
@{sys}/devices/pci[0-9]*/*/drm/ r, @{sys}/devices/@{pci_bus}/*/drm/ r,
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
/usr/share/egl/egl_external_platform.d/{,*} r, /usr/share/egl/egl_external_platform.d/{,*} r,
/usr/share/glvnd/egl_vendor.d/{,*} r, /usr/share/glvnd/egl_vendor.d/{,*} r,
/usr/share/vulkan/icd.d/{,*.json} r, /usr/share/vulkan/icd.d/{,*.json} r,

2
profiles/apparmor.d/lsblk
View File

@ -23,7 +23,7 @@ profile lsblk /usr/bin/lsblk {
@{sys}/class/block/ r, @{sys}/class/block/ r,
@{sys}/dev/block/ r, @{sys}/dev/block/ r,
@{sys}/devices/pci@{hex4}:@{hex2}/** r, @{sys}/devices/@{pci_bus}/** r,
@{sys}/devices/virtual/** r, @{sys}/devices/virtual/** r,
@{sys}/devices/platform/** r, @{sys}/devices/platform/** r,

2
profiles/apparmor.d/nvidia_modprobe
View File

@ -28,7 +28,7 @@ profile nvidia_modprobe {
/dev/nvidia-uvm w, /dev/nvidia-uvm w,
/dev/nvidia-uvm-tools w, /dev/nvidia-uvm-tools w,
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/config r, @{sys}/devices/@{pci_bus}/**/config r,
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/driver/nvidia/params r, @{PROC}/driver/nvidia/params r,
@{PROC}/modules r, @{PROC}/modules r,

3
profiles/apparmor.d/tunables/system
View File

@ -96,4 +96,7 @@
@{word32}=@{word16}@{word16} @{word32}=@{word16}@{word16}
@{word64}=@{word32}@{word32} @{word64}=@{word32}@{word32}
# Shortcut for PCI bus (e.g., /sys/devices/@{pci_bus}/**)
@{pci_bus}=pci@{hex4}:@{hex2}
include if exists <tunables/system.d> include if exists <tunables/system.d>

2
profiles/apparmor.d/wpa_supplicant
View File

@ -131,7 +131,7 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant {
network netlink raw, network netlink raw,
network packet dgram, network packet dgram,
@{sys}/devices/pci[0-9]*:[0-9]*/**/ieee80211/phy[0-9]*/name r, @{sys}/devices/@{pci_bus}/**/ieee80211/phy[0-9]*/name r,
# Might also need @{sys}/class/ieee80211/ r, # Might also need @{sys}/class/ieee80211/ r,
# phy* files inside are symlinks to the pci directory but directory # phy* files inside are symlinks to the pci directory but directory
# listing might be needed to enumerate and resolve symlinks # listing might be needed to enumerate and resolve symlinks

38
profiles/apparmor/profiles/extras/chromium_browser
View File

@ -153,25 +153,25 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
/sys/devices/system/cpu/possible r, /sys/devices/system/cpu/possible r,
/sys/devices/system/cpu/present r, /sys/devices/system/cpu/present r,
/sys/devices/system/node/node*/meminfo r, /sys/devices/system/node/node*/meminfo r,
/sys/devices/pci[0-9]*/**/bConfigurationValue r, /sys/devices/@{pci_bus}/**/bConfigurationValue r,
/sys/devices/pci[0-9]*/**/boot_vga r, /sys/devices/@{pci_bus}/**/boot_vga r,
/sys/devices/pci[0-9]*/**/busnum r, /sys/devices/@{pci_bus}/**/busnum r,
/sys/devices/pci[0-9]*/**/class r, /sys/devices/@{pci_bus}/**/class r,
/sys/devices/pci[0-9]*/**/config r, /sys/devices/@{pci_bus}/**/config r,
/sys/devices/pci[0-9]*/**/descriptors r, /sys/devices/@{pci_bus}/**/descriptors r,
/sys/devices/pci[0-9]*/**/device r, /sys/devices/@{pci_bus}/**/device r,
/sys/devices/pci[0-9]*/**/devnum r, /sys/devices/@{pci_bus}/**/devnum r,
/sys/devices/pci[0-9]*/**/irq r, /sys/devices/@{pci_bus}/**/irq r,
/sys/devices/pci[0-9]*/**/manufacturer r, /sys/devices/@{pci_bus}/**/manufacturer r,
/sys/devices/pci[0-9]*/**/product r, /sys/devices/@{pci_bus}/**/product r,
/sys/devices/pci[0-9]*/**/resource r, /sys/devices/@{pci_bus}/**/resource r,
/sys/devices/pci[0-9]*/**/revision r, /sys/devices/@{pci_bus}/**/revision r,
/sys/devices/pci[0-9]*/**/serial r, /sys/devices/@{pci_bus}/**/serial r,
/sys/devices/pci[0-9]*/**/subsystem_device r, /sys/devices/@{pci_bus}/**/subsystem_device r,
/sys/devices/pci[0-9]*/**/subsystem_vendor r, /sys/devices/@{pci_bus}/**/subsystem_vendor r,
/sys/devices/pci[0-9]*/**/vendor r, /sys/devices/@{pci_bus}/**/vendor r,
/sys/devices/pci[0-9]*/**/removable r, /sys/devices/@{pci_bus}/**/removable r,
/sys/devices/pci[0-9]*/**/block/**/size r, /sys/devices/@{pci_bus}/**/block/**/size r,
/sys/devices/virtual/block/**/removable r, /sys/devices/virtual/block/**/removable r,
/sys/devices/virtual/block/**/size r, /sys/devices/virtual/block/**/size r,
/sys/devices/virtual/tty/tty*/active r, /sys/devices/virtual/tty/tty*/active r,

8
profiles/apparmor/profiles/extras/firefox
View File

@ -194,11 +194,11 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
@{PROC}/sys/vm/overcommit_memory r, @{PROC}/sys/vm/overcommit_memory r,
@{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r,
# prevent crash LP: #1931602 # prevent crash LP: #1931602
/sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r, /sys/devices/@{pci_bus}/**/{uevent,resource,irq,class} r,
/sys/devices/platform/**/uevent r, /sys/devices/platform/**/uevent r,
/sys/devices/pci*/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r, /sys/devices/@{pci_bus}/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r,
/sys/devices/pci*/**/{,subsystem_}device r, /sys/devices/@{pci_bus}/**/{,subsystem_}device r,
/sys/devices/pci*/**/{,subsystem_}vendor r, /sys/devices/@{pci_bus}/**/{,subsystem_}vendor r,
/sys/devices/system/node/node[0-9]*/meminfo r, /sys/devices/system/node/node[0-9]*/meminfo r,
owner @{HOME}/.cache/thumbnails/** rw, owner @{HOME}/.cache/thumbnails/** rw,

2
profiles/apparmor/profiles/extras/usr.bin.wireshark
View File

@ -66,7 +66,7 @@ include <tunables/global>
@{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/dev r,
# Backported from the dri-enumerate abstraction, available in AppArmor 2.13 # Backported from the dri-enumerate abstraction, available in AppArmor 2.13
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, /sys/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
/tmp/.X[0-9]*-lock r, /tmp/.X[0-9]*-lock r,