[pkg-apparmor] Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced
intrigeri
intrigeri at debian.org
Fri Oct 27 08:01:40 UTC 2017
Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when AppArmor profile is enforced
Control: tag -1 + moreinfo
Hi Jason!
Jason Wittlin-Cohen:
> Totem suffers a segmentation fault upon startup when its respective apparmor
> profile is set to enforce mode. It starts fine when the apparmor profile is
> set to complain mode. I have not modified the /etc/apparmor.d/usr.bin.totem
> profile.
> […]
> Oct 27 00:00:22 debian-testing kernel: [139101.193078] audit: type=1400
> audit(1509076822.746:1331): apparmor="DENIED" operation="open"
> profile="/usr/bin/totem" name="/proc/modules" pid=29696 comm="totem"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Oct 27 00:00:22 debian-testing kernel: [139101.194061] audit: type=1400
> audit(1509076822.747:1332): apparmor="DENIED" operation="exec"
> profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=29699
> comm="totem"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Thanks for reporting this. This seems to be specific to using the
NVIDIA proprietary drivers. Unfortunately I have no NVIDIA hardware
available so I'll need help from you to fix this. This may require
more than one "please test this and report back" iteration.
Could you please try adding to /etc/apparmor.d/local/usr.bin.totem
#include <abstractions/nvidia>
… then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
and retry.
If that's not enough, also add:
/usr/bin/nvidia-modprobe Pix,
… then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
and retry.
If both fail, I will need the corresponding AppArmor logs that you can
gather with:
sudo journalctl -ka --no-hostname | grep -w 'apparmor="DENIED"'
Or, if systemd-journald is not running:
sudo grep -w 'apparmor="DENIED"' \
/var/log/auditd/auditd.log \
/var/log/syslog
This could also be worth a try:
/usr/bin/nvidia-modprobe PUx,
(it's not good enough to be applied as-in in Debian but at least it
may help us diagnose the problem :)
Thanks in advance!
More information about the pkg-apparmor-team
mailing list