mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-05 08:45:22 +00:00
dab520aae9
On Debian Sid we get this denial:
```
type=AVC msg=audit(1599065006.981:527): apparmor="DENIED"
operation="mknod" profile="nvidia_modprobe" name="/dev/nvidia-modeset"
pid=12969 comm="nvidia-modprobe" requested_mask="c" denied_mask="c"
fsuid=0 ouid=0
```
Update nvidia_modprobe profile to allow creating device file.
(cherry picked from commit e6dbe3bfd3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
66 lines
1.1 KiB
Plaintext
66 lines
1.1 KiB
Plaintext
# vim:syntax=apparmor
|
|
|
|
#include <tunables/global>
|
|
|
|
profile nvidia_modprobe {
|
|
#include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability chown,
|
|
capability mknod,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/nvidia-modprobe mr,
|
|
|
|
# Other executables
|
|
|
|
/usr/bin/kmod Cx -> kmod,
|
|
|
|
# System files
|
|
|
|
/dev/nvidia-modeset w,
|
|
/dev/nvidia-uvm w,
|
|
/dev/nvidia-uvm-tools w,
|
|
@{sys}/bus/pci/devices/ r,
|
|
@{sys}/devices/pci[0-9]*/**/config r,
|
|
@{PROC}/devices r,
|
|
@{PROC}/driver/nvidia/params r,
|
|
@{PROC}/modules r,
|
|
@{PROC}/sys/kernel/modprobe r,
|
|
|
|
# Child profiles
|
|
|
|
profile kmod {
|
|
#include <abstractions/base>
|
|
|
|
# Capabilities
|
|
|
|
capability sys_module,
|
|
|
|
# Main executable
|
|
|
|
/usr/bin/kmod mrix,
|
|
|
|
# Other executables
|
|
|
|
/{,usr/}bin/{,ba,da}sh ix,
|
|
|
|
# System files
|
|
|
|
/etc/modprobe.d/{,*.conf} r,
|
|
/etc/nvidia/current/*.conf r,
|
|
@{sys}/module/ipmi_devintf/initstate r,
|
|
@{sys}/module/ipmi_msghandler/initstate r,
|
|
@{sys}/module/nvidia/initstate r,
|
|
@{PROC}/cmdline r,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/nvidia_modprobe>
|
|
}
|
|
|