Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various fixes: man, nvidia-strict, iwd, lynx #645

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Various fixes: man, nvidia-strict, iwd, lynx #645

wants to merge 1 commit into from

Conversation

el-remph
Copy link

  • man:
    • more flexible index db path and specific manpath
    • allow calling groff and friends with inherited permissions
    • proper subprofiles
  • nvidia-strict: nvidia libraries get argv from /proc/self
  • iwd:
    • sends lots of UDP on packet sockets
    • writes to accept_ra and optimistic_dad
    • DNS daemons other than systemd-resolvd may require iwd to use resolvconf
  • lynx: now handles brotli'd HTML as well as gzipped

I didn't want to open a whole pull request for each profile given that each change is just a few lines, but let me know if I should

roddhjav
roddhjav reviewed Jan 20, 2025
View reviewed changes
apparmor.d/profiles-g-l/lynx Outdated
Comment on lines 37 to 38
# soon there may be .zst here as well. Maybe just give it the whole dir?
owner @{tmp}/lynxXXXX*/*TMP.html{,.{gz,br}} rw,
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be simplified as:

owner @{tmp}/lynxXXXX*/{,**} rw,

@roddhjav
Copy link
Owner

Thanks for you PR.

Regarding the nvidia-strict abstraction, I add rules to this abstraction with extra care. Can you tell me more why you think they are needed for all Nvidia GPU access?

Regarding man: This profile is disabled (the actual profile in use is the one shipped by the default with the man package). I won't accept update as it is not the one caused the issue.

@el-remph
Various fixes
675a754 
* nvidia-strict: nvidia libraries get argv from /proc/self
* iwd:
  * sends lots of UDP on packet sockets
  * writes to accept_ra and optimistic_dad
  * DNS daemons other than systemd-resolvd may require iwd to use resolvconf
* lynx: now handles brotli'd HTML as well as gzipped
@el-remph
Copy link
Author

Rebased without man fixes and with lynx simplification.

Regarding the nvidia-strict abstraction, I add rules to this abstraction with extra care. Can you tell me more why you think they are needed for all Nvidia GPU access?

  • /proc/self/task/comm allows nvidia library to see /proc/self/comm (which it is already allowed) if it has been changed by the calling process for an individual thread.
  • /proc/self/cmdline allows an nvidia library to see the argv of the calling process. Since an nvidia library is in the same process space as its caller there is nothing to stop it just reading argv directly, so I guess allowing /proc/self/cmdline is just more convenient, disallowing it would be no more secure.

Regarding man: This profile is disabled (the actual profile in use is the one shipped by the default with the man package). I won't accept update as it is not the one caused the issue.

I'll go to upstream then; which package did you mean, the debian package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roddhjav roddhjav roddhjav left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@el-remph @roddhjav