On 02/17/2018 08:08 AM, Vincas Dargis wrote: > On 2/17/18 12:12 AM, John Johansen wrote: >> On 02/16/2018 12:50 PM, Vincas Dargis wrote: >>> If we stick to this conditionals approach, I believe we are targeting fix >>> for this NVIDIA issue in no earlier than AppArmor 3.1 I guess? >>> >>> This being said, can (and should) we do anything "now", for upcoming Ubuntu >>> 18.04 LTS, and anyone else being annoyed by these DENIED messages? >>> >>> Maybe we just add appropriate `allow` rules into `<abstractions/nvidia>`, >>> probably reducing security for some applications without real need too >>> much, but with the agreement that this temporary "over-permissiveness" is >>> going to be fixed in the future, by updating `<abstractions/nvidia>` to >>> have these conditionals with error/assert messages? >>> >>> Tails or anyone else could just patch <abstractions/nvidia> or specific >>> application profile to add explicit denies on the top if needed. >> >> well error and warn are small patches we could certainly sneak into 3.0 >> >> I do think addressing it temporarily is the way to go, whether it is by >> doing the above without the error statement or just going with temporary >> "over-permissiveness" >> >> another thought on the error and warn statements is that they could be >> >> #error message >> and >> #warn message >> >> >> so that they could be added now and just ignored as comments in earlier >> versions of apparmor >> > > So the idea is to wait for 3.0 (BETA?) to implement this long-topic NVIDIA > issue then? That would be really nice way, I guess, to fix this in one go, > instead of "temporar-stuff-and-real-fix-later".
No the beta won't be a few weeks, I plan to kick out the error and warn patches this weekend, I expect we can have the fix in the beta -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
