Mailinglist Archive: opensuse-security (10 mails)

< Previous Next >
Re: [opensuse-security] FYI AppArmor abstraction for AMD proprietary driver

Am Montag, 10. Oktober 2016, 00:15:51 CEST schrieb Malte Gell:
Am 09.10.2016 um 17:45 schrieb Christian Boltz:
Can you please remove this rule and test if something complains?

Well, I have switched to the open source driver in Leap kernel 4.1,
thus can´t test it.....
The open source driver has a bit less performance, but is stable and
lacks some bugs, the proprietary driver has.

Stable and a bit slower sounds better than buggy ;-)

/dev/video* rw,
/dev/ati/* rw,
/etc/ati r,

Same questions once more, this time for /etc/ati ;-)

I just added these permissions to satisfy AppArmor. Without setting
these, I had some AA log entries.

I'd be quite surprised if the directory rules without trailing slash
helped ;-) (unless your profile is *very* old - the trailing slash
requirement for directories was added to the apparmor.d manpage in April

/etc/ati/** r,
/etc/ati/ Ux,

What does this script do?

This script grants access to some AMD "event daemon", I guess this
thing checks for updates or maybe some hardware events triggered by
the GPU, but this is just a guess.
I have attached the script, so you can take a look at it. It looks
pretty harmless to me.

It would still make sense not to run it unconfined, and create a profile
for it instead. For example, I noticed several uses of unquoted $1, $2
and $3 which could lead to funny[tm] results (no, I didn't test what
could happen ;-)

/home/*/.AMD/ rwkl,
/home/*/.AMD/** rwkl,

Interesting - does the AMD driver really need write access in the
user's home directory? Or is it only needed by the config tool?
(assuming there is a config tool ;-)

Yes, there is a config tool. This directory is a cache directory for
OpenGL stuff.
The proprietary nVidia driver also uses a user space cache directory
with the name ~/.nv/

Right, I should have checked that in abstractions/nvidia myself ;-)
(that said - a file cache for the screen content? seriously?)

If these rules are really needed, adding the "owner" conditional
would be a good idea to ensure it doesn't touch someone else' home
Sure, using "owner" should be fine there.

But, AMD is working on a new generation of proprietary driver, they
haven´t their current (=old) proprietary time for 10 months now!
Kernel 4.4 and above has an updated AMD driver named amdgpu which will
also be the basis for the new AMD proprietary driver. Thus, people
with the latest AMD GPUs actually use the latest kernels, because
they have the necessary support the old proprietary driver does not

In other words, folks who run the latest AMD GPU depend on the latest
kernels and not the current (old) AMD prop stuff, thus the number of
people using the current (= now old) AMD prop driver should be very,
very small.

IMHO it may be best to wait until AMD releases their new generation
proprietary driver and then adjust this AA rule. To add this rule to
Leap 42.2 may not make much sense, because people with latest AMD GPU
depend on the latest open source driver anyways....

I fully agree - this sounds like a moving target which isn't really used
and tested, so waiting for a while is indeed a good idea.

Feel free to send an updated amdfglrx abstraction once you use the [new
version of the] propietary AMD driver again ;-)


Christian Boltz
Speak out freely, of course, but don't start dissing part of the
community on their personal opinions. One may only do that with
trolls ;) [Pascal Bleser in opensuse-factory]

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >