Ubuntu

SDK applications require /tmp access with nvidia (should honor TMPDIR)

Reported by Jamie Strandboge on 2013-08-14
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Jamie Strandboge
Saucy
Undecided
Jamie Strandboge
nvidia-graphics-drivers-304 (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
nvidia-graphics-drivers-304-updates (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
nvidia-graphics-drivers-319 (Ubuntu)
Medium
Unassigned
Saucy
Medium
Unassigned
nvidia-graphics-drivers-319-updates (Ubuntu)
Medium
Alberto Milone
Saucy
Medium
Alberto Milone
nvidia-graphics-drivers-tegra3 (Ubuntu)
Saucy
Undecided
Unassigned
nvidia-graphics-drivers-tegra (Ubuntu)
Saucy
Undecided
Unassigned

Bug Description

Nvidia desktop users need the following AppArmor permissions to avoid denials:
  owner /tmp/gl* mrw,

But this rule breaks application confinement such that apps are able to tamper with each other. Interestingly, apps still run without the rule, so we can explicitly deny it for now.

The use of /tmp is apparently hardcoded and does not honor TMPDIR (application confinement will setup TMPDIR to a private area for the app). strace confirms this:
24603 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
24603 open("/tmp/glBRPYmm", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)

While the use of O_EXCL is safe, we don't allow access to /tmp for confined apps and libraries/applications should always honor TMPDIR.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
importance: Undecided → Low
importance: Low → Undecided
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

I am going to add the following to the SDK template to silence the denial:
  deny /tmp/gl* mrw,

This should still be fixed in nvidia*.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.16

---------------
apparmor-easyprof-ubuntu (1.0.16) saucy; urgency=low

  * rename data_exchange policy group to content_exchange. This would normally
    constitute a new minor version, but no one is using these yet
  * ubuntu-sdk template:
    - add a couple PROC accesses for desktop systems
    - add /usr/bin/qtchooser rmix for launching under upstart
    - add device specific access for desktop nvidia users (LP: #1212425)
    - adjust to use /{,var/}run/user/*/confined/@{APPNAME} instead of
      /{,var/}run/user/*/@{APPNAME}
 -- Jamie Strandboge <email address hidden> Wed, 14 Aug 2013 13:56:04 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: In Progress → Fix Released
summary: - SDK applications require too many accesses on desktop with nvidia
+ SDK applications require /tmp access with nvidia (should honor TMPDIR)
description: updated
Alberto Milone (albertomilone) wrote :

Subscribing NVIDIA to the bug report

James M. Leddy (jm-leddy) wrote :

Nvidia has fixed the problem. The driver has not been publically released yet.

no longer affects: nvidia-graphics-drivers-tegra3 (Ubuntu)
no longer affects: nvidia-graphics-drivers-tegra (Ubuntu)
Changed in nvidia-graphics-drivers-tegra3 (Ubuntu Saucy):
status: New → Invalid
Changed in nvidia-graphics-drivers-tegra (Ubuntu Saucy):
status: New → Invalid
affects: nvidia-graphics-drivers-319 (Ubuntu Saucy) → nvidia-graphics-drivers-319-updates (Ubuntu Saucy)
Changed in nvidia-graphics-drivers-319-updates (Ubuntu Saucy):
importance: Undecided → Medium
status: New → Triaged
Changed in nvidia-graphics-drivers-319-updates (Ubuntu Saucy):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-319 (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-319-updates - 319.60-0ubuntu1

---------------
nvidia-graphics-drivers-319-updates (319.60-0ubuntu1) saucy; urgency=low

  [ Andy Dick ]
  * debian/templates/nvidia-graphics-drivers.preinst.in:
    - Attempt uninstallation of any existing .run file
      installation before installing Debian-packaged
      driver.
  * debian/templates/nvidia-graphics-drivers.postinst.in:
    - Add libcuda.so symlinks in /usr/lib*.
  * debian/rules:
    - Conditionalize the copying of Makefile.kbuild to
      Makefile. This adds support for newer drivers,
      while maintaining support for packaging older drivers.
    - Avoid extracting unnecessary .run files. The 64-bit
      package needs both the 32- and 64-bit .run files, but
      the 32-bit package does not. Change the unpackaging
      rules to unpack only the native package by default,
      and only unpack the 32-bit x86 package on amd64.
      Also, instead of changing the .run file permissions
      to ensure that the .run file is executable, just call
      it as an argument to sh.
    - Don't assume that extracted files are writable.
      The package contents extracted from some .run file
      installers may not have write permissions enabled.
      To work around this, move files instead of copying
      them to a temporary location before running sed
      scripts, and add force flags to applicable commands.
  * New upstream release:
    - Added support for the following GPU:
      o GeForce GTX 760 Ti OEM
    - Fixed a bug that could cause OpenGL applications to
      crash during the initialization of new threads.
    - Fixed a bug that caused the GPU and Memory clock
      frequencies for some PowerMizer performance levels
      on Kepler boards to be reported incorrectly in the
      nvidia-settings control panel.
    - Fixed a bug that caused the X server to fail to
      start on certain laptops when the boot display was
      on an external DisplayPort monitor, for example if
      the laptop was booted while the lid was closed.
    - Fixed a bug in nvidia-installer that caused the
      32-bit libGL.la libtool library file to be
      installed to the wrong location.
    - Updated the NVIDIA OpenGL driver to write temporary
      files to $TMPDIR if it is set, instead of
      unconditionally writing to /tmp (LP: #1212425).
    - Updated a fallback of writing temporary files to
      $HOME/.nvidia to use $HOME/.nv instead, as the
      latter path is already used for other NVIDIA driver
      related files.
 -- Alberto Milone <email address hidden> Wed, 02 Oct 2013 11:31:10 +0200

Changed in nvidia-graphics-drivers-319-updates (Ubuntu Saucy):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-319 - 319.60-0ubuntu1

---------------
nvidia-graphics-drivers-319 (319.60-0ubuntu1) trusty; urgency=low

  * New upstream release:
    - Added support for the following GPU:
      o GeForce GTX 760 Ti OEM
    - Fixed a bug that could cause OpenGL applications to
      crash during the initialization of new threads.
    - Fixed a bug that caused the GPU and Memory clock
      frequencies for some PowerMizer performance levels
      on Kepler boards to be reported incorrectly in the
      nvidia-settings control panel.
    - Fixed a bug that caused the X server to fail to
      start on certain laptops when the boot display was
      on an external DisplayPort monitor, for example if
      the laptop was booted while the lid was closed.
    - Fixed a bug in nvidia-installer that caused the
      32-bit libGL.la libtool library file to be
      installed to the wrong location.
    - Updated the NVIDIA OpenGL driver to write temporary
      files to $TMPDIR if it is set, instead of
      unconditionally writing to /tmp (LP: #1212425).
    - Updated a fallback of writing temporary files to
      $HOME/.nvidia to use $HOME/.nv instead, as the
      latter path is already used for other NVIDIA driver
      related files.
  * Add buildfix_kernel_3.12.patch:
    - Add support for Linux 3.12
  * Refresh buildfix_kernel_3.11.patch.
 -- Alberto Milone <email address hidden> Mon, 04 Nov 2013 17:10:17 +0100

Changed in nvidia-graphics-drivers-319 (Ubuntu):
status: Triaged → Fix Released

Hello Jamie, or anyone else affected,

Accepted nvidia-graphics-drivers-304-updates into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.116-0ubuntu0.0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Changed in nvidia-graphics-drivers-304-updates (Ubuntu):
status: New → Fix Released
Changed in nvidia-graphics-drivers-304 (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nvidia-graphics-drivers-304 (Ubuntu Saucy):
status: New → Confirmed
Changed in nvidia-graphics-drivers-304-updates (Ubuntu Saucy):
status: New → Confirmed
Bartosz Kosiorek (gang65) wrote :

Hi.

I installed nvidia-graphics-drivers-304-updates and nvidia-graphics-drivers-304 from proposed (on Ubuntu 12.04 Precise) and intense test it (by playing games on Steam).
It works perfeclty for me.

Verification done for nvidia-graphics-drivers-304 drivers

Colin Watson (cjwatson) on 2014-01-27
tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for nvidia-graphics-drivers-304 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers