On Sun, 2018-02-11 at 12:42 +0200, Vincas Dargis wrote:
> On 2/8/18 11:25 PM, Jamie Strandboge wrote:
> > > 
> 
...

> So to wrap up, plan would be:
> 
> 1. Move `abstactions/nvidia` content into `nvidia-strict`. 
> `nvidia-strict` should have comment that it does not provide some
> NVIDIA 
> optimizations and some `deny` rules are recommended to be added 
> manually. Else, suggest to use `nvidia` if really needed.
> 
> 2. Create new `abstractions/nvidia` that includes `nvidia-strict`.
> Add a 
> _big_ warning documenting that it provides NVIDIA optimization that 
> could potentially reduce security, suggest to use `nvidia-strict`
> for 
> non-performance-critical applications instead.
> 
> In the future:
> 
> 3. Deny these optimizations in `nvidia-strict` by default, add
> overrides 
> into `nvidia` abstraction when that's becomes possible.
> 
> ACK?
> 
> Any more alternatives?
> 
> [0] https://gitlab.com/apparmor/apparmor/wikis/home#description

This is what I initially recommended but based on your later
investigations I later recommended something different. I now suggest
simply:

1. update the nvidia abstraction to have comment that it does not
provide some NVIDIA optimizations and to either add `deny` rules
manually to silence the denials or add allow rules if want the
optimizations. Both sets of rules would be commented out in the nvidia
abstraction under the aforementioned comment.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to