On Sun, 2018-02-11 at 12:42 +0200, Vincas Dargis wrote:
> On 2/8/18 11:25 PM, Jamie Strandboge wrote:
> > > 

> So to wrap up, plan would be:
> 1. Move `abstactions/nvidia` content into `nvidia-strict`. 
> `nvidia-strict` should have comment that it does not provide some
> optimizations and some `deny` rules are recommended to be added 
> manually. Else, suggest to use `nvidia` if really needed.
> 2. Create new `abstractions/nvidia` that includes `nvidia-strict`.
> Add a 
> _big_ warning documenting that it provides NVIDIA optimization that 
> could potentially reduce security, suggest to use `nvidia-strict`
> for 
> non-performance-critical applications instead.
> In the future:
> 3. Deny these optimizations in `nvidia-strict` by default, add
> overrides 
> into `nvidia` abstraction when that's becomes possible.
> ACK?
> Any more alternatives?
> [0] https://gitlab.com/apparmor/apparmor/wikis/home#description

This is what I initially recommended but based on your later
investigations I later recommended something different. I now suggest

1. update the nvidia abstraction to have comment that it does not
provide some NVIDIA optimizations and to either add `deny` rules
manually to silence the denials or add allow rules if want the
optimizations. Both sets of rules would be commented out in the nvidia
abstraction under the aforementioned comment.

Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

AppArmor mailing list
Modify settings or unsubscribe at: 

Reply via email to