SDK applications require /tmp access with nvidia (should honor TMPDIR)
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | |||
Saucy |
Fix Released
|
Undecided
|
Jamie Strandboge | |||
nvidia-graphics-drivers-304 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | |||
Saucy |
Won't Fix
|
Undecided
|
Unassigned | |||
nvidia-graphics-drivers-304-updates (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | |||
Saucy |
Won't Fix
|
Undecided
|
Unassigned | |||
nvidia-graphics-drivers-319 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | |||
Saucy |
Won't Fix
|
Medium
|
Unassigned | |||
nvidia-graphics-drivers-319-updates (Ubuntu) |
Fix Released
|
Medium
|
Alberto Milone | |||
Saucy |
Fix Released
|
Medium
|
Alberto Milone | |||
nvidia-graphics-drivers-tegra (Ubuntu) | ||||||
Saucy |
Invalid
|
Undecided
|
Unassigned | |||
nvidia-graphics-drivers-tegra3 (Ubuntu) | ||||||
Saucy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Nvidia desktop users need the following AppArmor permissions to avoid denials:
owner /tmp/gl* mrw,
But this rule breaks application confinement such that apps are able to tamper with each other. Interestingly, apps still run without the rule, so we can explicitly deny it for now.
The use of /tmp is apparently hardcoded and does not honor TMPDIR (application confinement will setup TMPDIR to a private area for the app). strace confirms this:
24603 mkdir("/tmp", 0777) = -1 EEXIST (File exists)
24603 open("/
While the use of O_EXCL is safe, we don't allow access to /tmp for confined apps and libraries/
Related branches
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy): | |
importance: | Undecided → Low |
importance: | Low → Undecided |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
summary: |
- SDK applications require too many accesses on desktop with nvidia + SDK applications require /tmp access with nvidia (should honor TMPDIR) |
description: | updated |
no longer affects: | nvidia-graphics-drivers-tegra3 (Ubuntu) |
no longer affects: | nvidia-graphics-drivers-tegra (Ubuntu) |
Changed in nvidia-graphics-drivers-tegra3 (Ubuntu Saucy): | |
status: | New → Invalid |
Changed in nvidia-graphics-drivers-tegra (Ubuntu Saucy): | |
status: | New → Invalid |
affects: | nvidia-graphics-drivers-319 (Ubuntu Saucy) → nvidia-graphics-drivers-319-updates (Ubuntu Saucy) |
Changed in nvidia-graphics-drivers-319-updates (Ubuntu Saucy): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in nvidia-graphics-drivers-319-updates (Ubuntu Saucy): | |
assignee: | nobody → Alberto Milone (albertomilone) |
Changed in nvidia-graphics-drivers-319 (Ubuntu Saucy): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in nvidia-graphics-drivers-304-updates (Ubuntu): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-304 (Ubuntu): | |
status: | New → Fix Released |
tags: |
added: verification-done removed: verification-needed |
Changed in nvidia-graphics-drivers-304 (Ubuntu Saucy): | |
status: | Confirmed → Won't Fix |
Changed in nvidia-graphics-drivers-304-updates (Ubuntu Saucy): | |
status: | Confirmed → Won't Fix |
I am going to add the following to the SDK template to silence the denial:
deny /tmp/gl* mrw,
This should still be fixed in nvidia*.