Skip to content
This repository has been archived by the owner on Feb 12, 2023. It is now read-only.

fix(apparmor): Import nvidia abstraction #6666

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(apparmor): Import nvidia abstraction #6666

wants to merge 1 commit into from

Conversation

Talkless
Copy link
Contributor

@Talkless Talkless commented Oct 22, 2022
edited by sudden6

In Debian Sid, after upgrading to nvidia-tesla-470-driver, qTox forever freezes upon startup.

AppArmor denials:

type=AVC msg=audit(1666461161.036:2783): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/modules" pid=5139
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0FSUID="vincas" OUID="root"

type=AVC msg=audit(1666461161.036:2784): apparmor="DENIED"
operation="exec" profile="qtox" name="/usr/bin/nvidia-modprobe" pid=5150
comm="qtox" requested_mask="x" denied_mask="x" fsuid=1000
ouid=0FSUID="vincas" OUID="root"

As it keeps waiting forever:

[pid  5306] clone(child_stack=NULL,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process
5317 attached
, child_tidptr=0x7f41ea70d750) = 5317
[pid  5317] set_robust_list(0x7f41ea70d760, 24) = 0
[pid  5306] wait4(5317,  <unfinished ...>
[pid  5317] execve("/usr/bin/nvidia-modprobe",
["/usr/bin/nvidia-modprobe"], 0x7ffc19b67258 /* 0 vars */) = -1 EACCES
(Permission denied)
[pid  5317] write(7, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  5315] <... poll resumed>)         = 1 ([{fd=7, revents=POLLIN}])
[pid  5317] futex(0x55ed33f3f4d0,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 0, NULL,
FUTEX_BITSET_MATCH_ANY <unfinished ...>
[pid  5315] read(7, "\1\0\0\0\0\0\0\0", 16) = 8
[pid  5315] poll([{fd=7, events=POLLIN}, {fd=8, events=POLLIN}], 2, -1
<unfinished ...>
[pid  5314] <... poll resumed>)         = 1 ([{fd=3, revents=POLLIN}])
[pid  5314] recvmsg(3, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="U\2P\1:\3\4\0\3\4\4\0\0\0\0\0\0\0\0\4\4\4\4\4\0\0\3\37%\2\0\0",
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32
[pid  5314] write(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  5314] poll([{fd=3, events=POLLIN}], 1, -1

Allowing to read /proc/modules and other nvidia-driver-related files (by importing abstractions/nvidia) fixes this issue.

This change is Reviewable

@Talkless
fix(apparmor): Import nvidia abstraction
5a33767 
In Debian Sid, after upgrading to nvidia-tesla-470-driver,
qTox forever freezes upon startup.

AppArmor denials:

```
type=AVC msg=audit(1666461161.036:2783): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/modules" pid=5139
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0FSUID="vincas" OUID="root"

type=AVC msg=audit(1666461161.036:2784): apparmor="DENIED"
operation="exec" profile="qtox" name="/usr/bin/nvidia-modprobe" pid=5150
comm="qtox" requested_mask="x" denied_mask="x" fsuid=1000
ouid=0FSUID="vincas" OUID="root"

```

As it keeps waiting forever:

```
[pid  5306] clone(child_stack=NULL,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process
5317 attached
, child_tidptr=0x7f41ea70d750) = 5317
[pid  5317] set_robust_list(0x7f41ea70d760, 24) = 0
[pid  5306] wait4(5317,  <unfinished ...>
[pid  5317] execve("/usr/bin/nvidia-modprobe",
["/usr/bin/nvidia-modprobe"], 0x7ffc19b67258 /* 0 vars */) = -1 EACCES
(Permission denied)
[pid  5317] write(7, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  5315] <... poll resumed>)         = 1 ([{fd=7, revents=POLLIN}])
[pid  5317] futex(0x55ed33f3f4d0,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 0, NULL,
FUTEX_BITSET_MATCH_ANY <unfinished ...>
[pid  5315] read(7, "\1\0\0\0\0\0\0\0", 16) = 8
[pid  5315] poll([{fd=7, events=POLLIN}, {fd=8, events=POLLIN}], 2, -1
<unfinished ...>
[pid  5314] <... poll resumed>)         = 1 ([{fd=3, revents=POLLIN}])
[pid  5314] recvmsg(3, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="U\2P\1:\3\4\0\3\4\4\0\0\0\0\0\0\0\0\4\4\4\4\4\0\0\3\37%\2\0\0",
iov_len=4096}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32
[pid  5314] write(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  5314] poll([{fd=3, events=POLLIN}], 1, -1
```

Allowing to read /proc/modules and other nvidia-driver-related files
(by importing abstractions/nvidia) fixes this issue.
@codecov-commenter
Copy link

Codecov Report

Base: 12.08% // Head: 12.08% // No change to project coverage 👍

Coverage data is based on head (5a33767) compared to base (b728849).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6666   +/-   ##
=======================================
  Coverage   12.08%   12.08%           
=======================================
  Files         308      308           
  Lines       20898    20898           
=======================================
  Hits         2526     2526           
  Misses      18372    18372

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

sudden6
sudden6 approved these changes Nov 16, 2022
View reviewed changes
Copy link
Member

@sudden6 sudden6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: 0 of 1 LGTMs obtained

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sudden6 sudden6 sudden6 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Talkless @codecov-commenter @sudden6