Ubuntu
apparmor-easyprof-ubuntu package

  1. Trusty (14.04)
  2. Bug #1197133
  3. Comment #0

Comment 0 for bug 1197133

Revision history for this message
Jamie Strandboge (jdstrand) wrote : SDK applications require access to /dev/nv* on grouper

SDK applications need the following AppArmor policy to run on a Nexus 7:

  /dev/nvmap rw,
  /dev/nvhost-* rw,
  /sys/module/nvhost/parameters/* r,
  /sys/module/fuse/parameters/tegra* r,

The read accesses are not ideal but probably ok, but the writes to /dev/nvmap and /dev/nvhost-* allow applications to attack these devices directly. I'm not sure what the solution is, but the current behavior weakens our application confinement policy.