| 2013-08-14 20:33:45 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2013-08-14 20:39:54 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Saucy |
|
| 2013-08-14 20:39:54 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu Saucy) |
|
| 2013-08-14 20:40:04 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): importance |
Undecided |
Low |
|
| 2013-08-14 20:40:10 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): importance |
Low |
Undecided |
|
| 2013-08-14 20:40:32 |
Jamie Strandboge |
bug task added |
|
nvidia-graphics-drivers-319 (Ubuntu) |
|
| 2013-08-14 20:40:42 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
New |
In Progress |
|
| 2013-08-14 20:40:56 |
Jamie Strandboge |
bug task added |
|
nvidia-graphics-drivers-tegra3 (Ubuntu) |
|
| 2013-08-14 20:41:09 |
Jamie Strandboge |
bug task added |
|
nvidia-graphics-drivers-tegra (Ubuntu) |
|
| 2013-08-14 20:41:18 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2013-08-14 21:03:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu |
|
| 2013-08-14 21:09:50 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
In Progress |
Fix Released |
|
| 2013-08-14 21:23:04 |
Jamie Strandboge |
summary |
SDK applications require too many accesses on desktop with nvidia |
SDK applications require /tmp access with nvidia (should honor TMPDIR) |
|
| 2013-08-14 21:23:52 |
Jamie Strandboge |
description |
Nvidia desktop users need the following AppArmor permissions to avoid denials:
owner /tmp/gl* mrw,
But this rule breaks application confinement such that apps are able to tamper with each other. Interestingly, apps still run without the rule, so we can explicitly deny it for now.
The use of /tmp is apparently hardcoded and does not honor TMPDIR (application confinement will setup TMPDIR to a private area for the app). strace confirms this:
24603 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
24603 open("/tmp/glBRPYmm", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
While the use of O_EXCL is safe however, we don't allow access to /tmp for confined apps and libraries/applications should always honor TMPDIR. |
Nvidia desktop users need the following AppArmor permissions to avoid denials:
owner /tmp/gl* mrw,
But this rule breaks application confinement such that apps are able to tamper with each other. Interestingly, apps still run without the rule, so we can explicitly deny it for now.
The use of /tmp is apparently hardcoded and does not honor TMPDIR (application confinement will setup TMPDIR to a private area for the app). strace confirms this:
24603 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
24603 open("/tmp/glBRPYmm", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
While the use of O_EXCL is safe, we don't allow access to /tmp for confined apps and libraries/applications should always honor TMPDIR. |
|
| 2013-08-16 13:41:45 |
Alberto Milone |
bug |
|
|
added subscriber Daniel Dadap |
| 2013-09-13 16:39:34 |
Alberto Milone |
bug task deleted |
nvidia-graphics-drivers-tegra3 (Ubuntu) |
|
|
| 2013-09-13 16:39:38 |
Alberto Milone |
bug task deleted |
nvidia-graphics-drivers-tegra (Ubuntu) |
|
|
| 2013-09-20 21:33:51 |
Brian Murray |
nvidia-graphics-drivers-tegra3 (Ubuntu Saucy): status |
New |
Invalid |
|
| 2013-09-20 21:33:55 |
Brian Murray |
nvidia-graphics-drivers-tegra (Ubuntu Saucy): status |
New |
Invalid |
|
| 2013-10-02 09:45:45 |
Alberto Milone |
affects |
nvidia-graphics-drivers-319 (Ubuntu Saucy) |
nvidia-graphics-drivers-319-updates (Ubuntu Saucy) |
|
| 2013-10-02 09:45:45 |
Alberto Milone |
nvidia-graphics-drivers-319-updates (Ubuntu Saucy): importance |
Undecided |
Medium |
|
| 2013-10-02 09:45:45 |
Alberto Milone |
nvidia-graphics-drivers-319-updates (Ubuntu Saucy): status |
New |
Triaged |
|
| 2013-10-02 10:34:24 |
Alberto Milone |
nvidia-graphics-drivers-319-updates (Ubuntu Saucy): assignee |
|
Alberto Milone (albertomilone) |
|
| 2013-10-02 10:34:46 |
Alberto Milone |
bug task added |
|
nvidia-graphics-drivers-319 (Ubuntu) |
|
| 2013-10-02 10:35:12 |
Alberto Milone |
nvidia-graphics-drivers-319 (Ubuntu Saucy): status |
New |
Triaged |
|
| 2013-10-02 10:35:15 |
Alberto Milone |
nvidia-graphics-drivers-319 (Ubuntu Saucy): importance |
Undecided |
Medium |
|
| 2013-10-02 15:13:06 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/nvidia-graphics-drivers-319-updates |
|
| 2013-10-02 15:40:45 |
Launchpad Janitor |
nvidia-graphics-drivers-319-updates (Ubuntu Saucy): status |
Triaged |
Fix Released |
|
| 2013-11-04 17:29:43 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/nvidia-graphics-drivers-319 |
|
| 2013-11-04 18:15:14 |
Launchpad Janitor |
nvidia-graphics-drivers-319 (Ubuntu): status |
Triaged |
Fix Released |
|
| 2013-12-11 00:07:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/nvidia-graphics-drivers-304 |
|
| 2013-12-11 00:08:36 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/nvidia-graphics-drivers-304-updates |
|
| 2013-12-18 09:06:03 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/nvidia-graphics-drivers-304 |
|
| 2013-12-18 10:43:46 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2013-12-18 10:43:52 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2013-12-18 10:43:55 |
Chris Halse Rogers |
tags |
|
verification-needed |
|
| 2013-12-18 10:50:33 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/nvidia-graphics-drivers-304-updates |
|
| 2014-01-03 15:53:36 |
Bartosz Kosiorek |
bug task added |
|
nvidia-graphics-drivers-304 (Ubuntu) |
|
| 2014-01-03 15:54:26 |
Bartosz Kosiorek |
bug task added |
|
nvidia-graphics-drivers-304-updates (Ubuntu) |
|
| 2014-01-03 15:56:26 |
Bartosz Kosiorek |
nvidia-graphics-drivers-304-updates (Ubuntu): status |
New |
Fix Released |
|
| 2014-01-03 15:58:44 |
Bartosz Kosiorek |
nvidia-graphics-drivers-304 (Ubuntu): status |
New |
Fix Released |
|
| 2014-01-03 16:00:39 |
Launchpad Janitor |
nvidia-graphics-drivers-304 (Ubuntu Saucy): status |
New |
Confirmed |
|
| 2014-01-03 16:00:39 |
Launchpad Janitor |
nvidia-graphics-drivers-304-updates (Ubuntu Saucy): status |
New |
Confirmed |
|
| 2014-01-27 16:35:44 |
Colin Watson |
tags |
verification-needed |
verification-done |
|
| 2014-01-27 18:12:02 |
Colin Watson |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2014-12-05 06:41:20 |
Rolf Leggewie |
nvidia-graphics-drivers-319 (Ubuntu Saucy): status |
Triaged |
Won't Fix |
|
| 2014-12-05 07:01:57 |
Rolf Leggewie |
nvidia-graphics-drivers-304 (Ubuntu Saucy): status |
Confirmed |
Won't Fix |
|
| 2014-12-05 07:02:02 |
Rolf Leggewie |
nvidia-graphics-drivers-304-updates (Ubuntu Saucy): status |
Confirmed |
Won't Fix |
|
