Hello, Am Dienstag, 13. September 2016, 10:12:13 CEST schrieb Malte Gell:
This is an abstraction for those folks who prefer to use the proprietary AMD driver
It needs to be added to every profile for X11 apps.
It may be more convenient to copy the whole rule into abstractions/x to avoid changing existing profiles. To be honest, this is, what I did when I used fglrx.
I consider submitting this abstraction upstream, but before doing so, I have some questions. Note that I don't have any AMD graphics card, so some questions might sound silly or obvious to you ;-)
/proc/ati r,
I assume /proc/ati is a directory (at least the next rule indicates this). That would mean that the rule needs a trailing slash ("/proc/ati/ r,") - and could also mean that this rule isn't needed at all because in its current state, it doesn't allow anything. Can you please remove this rule and test if something complains?
/proc/ati/** r, /dev/ati rw,
Same questions as above for /dev/ati - the /dev/ati/* rule indicates this is a directory.
/dev/video* rw, /dev/ati/* rw, /etc/ati r,
Same questions once more, this time for /etc/ati ;-)
/etc/ati/** r, /etc/ati/authatieventsd.sh Ux,
What does this script do? We avoid Ux rules whenever possible (because they allow to execute something unconfined = without AppArmor restrictions), so you should have a *very* good reason to use Ux ;-)
/dev/shm/ rwkl,
Hmm, wkl permissions for the directory? That looks superfluous to me - r should be enough.
/dev/shm/* rwkl,
Reading and writing all files in /dev/shm/ (which is world-writeable like /tmp/) doesn't sound too neat. Would it be possible to restrict that rule by using a filename pattern and/or adding the "owner" conditional? Ideally you'll end up with something like owner /dev/shm/ati* rwkl, # filename pattern "ati*" is just a guess
/home/*/.AMD/ rwkl, /home/*/.AMD/** rwkl,
Interesting - does the AMD driver really need write access in the user's home directory? Or is it only needed by the config tool? (assuming there is a config tool ;-) If these rules are really needed, adding the "owner" conditional would be a good idea to ensure it doesn't touch someone else' home directory. Regards, Christian Boltz -- Die Idee war gut - der Code nicht. (Ralf wrde sagen: Es war so schlecht, dass ich es umschreiben musste bevor ich es wegwarf...) [Patrick Ben Koetter in postfix-users]