Hi, I would be happy to help. I have several machines running Stretch with a variety of hardware and uses (desktop/server, Intel/NVIDIA GPUs etc.). Are there specific apparmor profiles you wish to test?
As for the totem profile on Stretch, simply adding #include <abstractions/nvidia> to /etc/apparmor.d/local/usr.bin/totem and reloading the profile did not fix the issue: jason@jason-desktop:/etc/apparmor.d$ /usr/bin/totem (totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value (totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value (totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value (totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value (totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value Segmentation fault The audit log shows continued errors related to the NVIDIA driver: Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:300): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:301): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:302): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:303): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:304): apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:305): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:306): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:307): apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:308): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=9153 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:309): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=9153 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 jason@jason-desktop:/etc/apparmor.d$ I also tried using the usr.bin.totem profile from sid, but that also failed: jason@jason-desktop:/etc/apparmor.d/local$ /usr/bin/totem (totem:11884): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error (1281): Invalid value (totem:11884): Grilo-WARNING **: [bookmarks] grl-bookmarks.c:255: Could not open database '/home/jason/.local/share/grilo-plugins/grl-bookmarks.db': Failed to open database at /home/jason/.local/share/grilo-plugins/grl-bookmarks.db (totem:11884): GVFS-WARNING **: can't init metadata tree /home/jason/.local/share/gvfs-metadata/root: open: Permission denied (totem:11884): GVFS-WARNING **: can't init metadata tree /home/jason/.local/share/gvfs-metadata/root: open: Permission denied (totem:11884): GrlPodcasts-CRITICAL **: Failed to open database '': unable to open database file (totem:11884): Grilo-WARNING **: [thetvdb] grl-thetvdb.c:390: Could not open database '/home/jason/.local/share/grilo-plugins/grl-thetvdb.db': Failed to open database at /home/jason/.local/share/grilo-plugins/grl-thetvdb.db Segmentation fault The audit log still contains NVIDIA related errors: Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:317): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:318): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:319): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gl5DoxkC" pid=11884 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:320): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gl5DoxkC" pid=11884 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:321): apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" name="/home/jason.nv/" pid=11884 comm="totem" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:322): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gloFEGp9" pid=11884 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:323): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" name="/tmp/.gloFEGp9" pid=11884 comm="totem" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:324): apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" name="/home/jason.nv/" pid=11884 comm="totem" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.831:325): apparmor="DENIED" operation="open" profile="/usr/bin/totem" name="/home/jason/.cache/gstreamer-1.0/registry.x86_64.bin" pid=11884 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 jason@jason-desktop:/etc/apparmor.d/local$ Thanks, Jason On Tue, Oct 31, 2017 at 3:06 AM, intrigeri <intrig...@debian.org> wrote: > Hi, > > Jason Cohen: > > I am seeing the same behavior in Stretch > > I'm not surprised. It's very likely that a number of the AppArmor > policy fixes that were pushed to testing/sid (in src:apparmor* at > least) since the Stretch release apply to Stretch as well. It would be > nice if someone identified them so we can prepare a Stretch update. > Such triaging is needed so that the proposed diff against Stretch is > as small as possible, which eases reviews by the Release Team and > decreases chances of introducing regressions. Would you be interested > in this? > > Personally I'll treat this with low priority *for now*: I want to > focus my AppArmor time on the "enabling AppArmor by default in > Buster" experiment. > > Thanks for flagging this bug as affecting 1.11! > > Cheers, > -- > intrigeri >
