On Fri, 2018-02-16 at 16:44 +0200, Vincas Dargis wrote: > On 2/11/18 11:38 PM, John Johansen wrote: > > On 02/11/2018 02:42 AM, Vincas Dargis wrote: > > > > Now for the Jamie suggestion: > > On 2/12/18 7:40 PM, Jamie Strandboge wrote: > > This is what I initially recommended but based on your later > > investigations I later recommended something different. I now > suggest > > simply: > > > > 1. update the nvidia abstraction to have comment that it does not > > provide some NVIDIA optimizations and to either add `deny` rules > > manually to silence the denials or add allow rules if want the > > optimizations. Both sets of rules would be commented out in the > nvidia > > abstraction under the aforementioned comment. > > > > Sorry, I misunderstood your suggestion. So it's basically approach > using > documentation only? > Yes
> There could be another approach without "deny and then override" > that > John didn't show affection for: > > 1. <abstractons/nvidia> Left unchanged, except maybe adding info > about > missing permissions for possibly unsafe optimization, hint how to fix > that > > 2.a new <abstractions/nvidia-with-optimizations> abstraction that > includes <abstractions/nvidia> and allows rules for optimizations. > If this is helpful to people, I'm not opposed to it, though the abstraction name is a bit wordy. I'd prefer this over 2.b (below) since explicit denies are annoying for policy authors. I realize that doesn't help with noisy denials, but those are probably best handled at the distro or site level IMHO. > 2.b new <abstractions/nvidia-without-optimizations> abstraction that > includes <abstractions/nvidia> and denies optmiziations. > > usr.bin.thunderbird could be updated to change "nvidia" into > "nvidia-without-optimizations" and "usr.lib.ioquake3.ioquake3" could > be > updated to include "nvidia-with-optimizations" instead. > -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
