On Sun, 2018-02-11 at 12:42 +0200, Vincas Dargis wrote: > On 2/8/18 11:25 PM, Jamie Strandboge wrote: > > > > ...
> So to wrap up, plan would be: > > 1. Move `abstactions/nvidia` content into `nvidia-strict`. > `nvidia-strict` should have comment that it does not provide some > NVIDIA > optimizations and some `deny` rules are recommended to be added > manually. Else, suggest to use `nvidia` if really needed. > > 2. Create new `abstractions/nvidia` that includes `nvidia-strict`. > Add a > _big_ warning documenting that it provides NVIDIA optimization that > could potentially reduce security, suggest to use `nvidia-strict` > for > non-performance-critical applications instead. > > In the future: > > 3. Deny these optimizations in `nvidia-strict` by default, add > overrides > into `nvidia` abstraction when that's becomes possible. > > ACK? > > Any more alternatives? > >  https://gitlab.com/apparmor/apparmor/wikis/home#description This is what I initially recommended but based on your later investigations I later recommended something different. I now suggest simply: 1. update the nvidia abstraction to have comment that it does not provide some NVIDIA optimizations and to either add `deny` rules manually to silence the denials or add allow rules if want the optimizations. Both sets of rules would be commented out in the nvidia abstraction under the aforementioned comment. -- Jamie Strandboge | http://www.canonical.com
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor