1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From 0e15ef39fa71263ffedf4daa6ea091f38d074843 Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Sat, 22 Oct 2022 20:48:43 +0300
Subject: [PATCH 3/5] fix(apparmor): Import nvidia abstraction
In Debian Sid, after upgrading to nvidia-tesla-470-driver,
qTox forever freezes upon startup.
AppArmor denials:
```
type=AVC msg=audit(1666461161.036:2783): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/modules" pid=5139
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0FSUID="vincas" OUID="root"
type=AVC msg=audit(1666461161.036:2784): apparmor="DENIED"
operation="exec" profile="qtox" name="/usr/bin/nvidia-modprobe" pid=5150
comm="qtox" requested_mask="x" denied_mask="x" fsuid=1000
ouid=0FSUID="vincas" OUID="root"
```
As it keeps waiting forever:
```
[pid 5306] clone(child_stack=NULL,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process
5317 attached
, child_tidptr=0x7f41ea70d750) = 5317
[pid 5317] set_robust_list(0x7f41ea70d760, 24) = 0
[pid 5306] wait4(5317, <unfinished ...>
[pid 5317] execve("/usr/bin/nvidia-modprobe",
["/usr/bin/nvidia-modprobe"], 0x7ffc19b67258 /* 0 vars */) = -1 EACCES
(Permission denied)
[pid 5317] write(7, "\1\0\0\0\0\0\0\0", 8) = 8
[pid 5315] <... poll resumed>) = 1 ([{fd=7, revents=POLLIN}])
[pid 5317] futex(0x55ed33f3f4d0,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 0, NULL,
FUTEX_BITSET_MATCH_ANY <unfinished ...>
[pid 5315] read(7, "\1\0\0\0\0\0\0\0", 16) = 8
[pid 5315] poll([{fd=7, events=POLLIN}, {fd=8, events=POLLIN}], 2, -1
<unfinished ...>
[pid 5314] <... poll resumed>) = 1 ([{fd=3, revents=POLLIN}])
[pid 5314] recvmsg(3, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="U\2P\1:\3\4\0\3\4\4\0\0\0\0\0\0\0\0\4\4\4\4\4\0\0\3\37%\2\0\0",
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32
[pid 5314] write(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid 5314] poll([{fd=3, events=POLLIN}], 1, -1
```
Allowing to read /proc/modules and other nvidia-driver-related files
(by importing abstractions/nvidia) fixes this issue.
---
security/apparmor/2.12.1/usr.bin.qtox | 1 +
security/apparmor/2.13.2/usr.bin.qtox | 1 +
security/apparmor/2.13.3/usr.bin.qtox | 1 +
3 files changed, 3 insertions(+)
diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox
index 4c45721a8fa7..ac0f3fc49f9a 100644
--- a/security/apparmor/2.12.1/usr.bin.qtox
+++ b/security/apparmor/2.12.1/usr.bin.qtox
@@ -30,6 +30,7 @@ profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/ibus>
#include <abstractions/kde>
#include <abstractions/nameservice>
+ #include <abstractions/nvidia>
#include <abstractions/openssl>
#include <abstractions/video>
diff --git a/security/apparmor/2.13.2/usr.bin.qtox b/security/apparmor/2.13.2/usr.bin.qtox
index 0efd3b74105a..4ecabf4cc14f 100644
--- a/security/apparmor/2.13.2/usr.bin.qtox
+++ b/security/apparmor/2.13.2/usr.bin.qtox
@@ -34,6 +34,7 @@ profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
+ #include <abstractions/nvidia>
#include <abstractions/openssl>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
diff --git a/security/apparmor/2.13.3/usr.bin.qtox b/security/apparmor/2.13.3/usr.bin.qtox
index 1dff6a3df118..2b9f86ce86d0 100644
--- a/security/apparmor/2.13.3/usr.bin.qtox
+++ b/security/apparmor/2.13.3/usr.bin.qtox
@@ -34,6 +34,7 @@ profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
+ #include <abstractions/nvidia>
#include <abstractions/openssl>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
--
2.45.2
|
