Mailinglist Archive: opensuse-security (10 mails)

< Previous Next >
Re: [opensuse-security] FYI AppArmor abstraction for AMD proprietary driver

Am Dienstag, 13. September 2016, 10:12:13 CEST schrieb Malte Gell:
This is an abstraction for those folks who prefer to use the
proprietary AMD driver

It needs to be added to every profile for X11 apps.

It may be more convenient to copy the whole rule into abstractions/x
to avoid changing existing profiles. To be honest, this is, what I
did when I used fglrx.

I consider submitting this abstraction upstream, but before doing so, I
have some questions.

Note that I don't have any AMD graphics card, so some questions might
sound silly or obvious to you ;-)

/proc/ati r,

I assume /proc/ati is a directory (at least the next rule indicates
this). That would mean that the rule needs a trailing slash
("/proc/ati/ r,") - and could also mean that this rule isn't needed at
all because in its current state, it doesn't allow anything.

Can you please remove this rule and test if something complains?

/proc/ati/** r,
/dev/ati rw,

Same questions as above for /dev/ati - the /dev/ati/* rule indicates
this is a directory.

/dev/video* rw,
/dev/ati/* rw,
/etc/ati r,

Same questions once more, this time for /etc/ati ;-)

/etc/ati/** r,
/etc/ati/ Ux,

What does this script do?
We avoid Ux rules whenever possible (because they allow to execute
something unconfined = without AppArmor restrictions), so you should have
a *very* good reason to use Ux ;-)

/dev/shm/ rwkl,

Hmm, wkl permissions for the directory? That looks superfluous to me - r
should be enough.

/dev/shm/* rwkl,

Reading and writing all files in /dev/shm/ (which is world-writeable like
/tmp/) doesn't sound too neat. Would it be possible to restrict that
rule by using a filename pattern and/or adding the "owner" conditional?

Ideally you'll end up with something like
owner /dev/shm/ati* rwkl, # filename pattern "ati*" is just a guess

/home/*/.AMD/ rwkl,
/home/*/.AMD/** rwkl,

Interesting - does the AMD driver really need write access in the user's
home directory? Or is it only needed by the config tool? (assuming there
is a config tool ;-)

If these rules are really needed, adding the "owner" conditional would
be a good idea to ensure it doesn't touch someone else' home directory.


Christian Boltz
Die Idee war gut - der Code nicht. (Ralf w├╝rde sagen: Es war so
schlecht, dass ich es umschreiben musste bevor ich es wegwarf...)
[Patrick Ben Koetter in postfix-users]
< Previous Next >
Follow Ups