[pkg-apparmor] Bug#923273: Bug#923273: apparmor: nvidia_modprobe named profile is shipped in complain mode
Vincas Dargis
vindrg at gmail.com
Fri Mar 8 16:57:14 GMT 2019
On Fri, 08 Mar 2019 09:13:55 +0100 intrigeri <intrigeri at debian.org> wrote:
> What's the actual impact of this bug? Any user-visible problem?
> Makes other profiles useless under their threat model?
nvidia_modprobed is used by LibreOffice profile - it includes `opencl-nvidia` for OpenCL features in
LibreOffice Calc, and in the end, the `nvidia-modprobe` executable is allowed.
Since LibreOffice is in complain mode by default, so I doubt this issue reduces security for default
Debian installation, only for users that enforces LibreOffice profile have reduced confinement
expectations.
No user-visible problems is seen.
nvidia-modprobe is setuid application, and having `nvidia_modrpobe` in enforced mode by default
would reduce attack vectors against LibreOffice, but again, only for users that enforces LO profile.
More information about the pkg-apparmor-team
mailing list