Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

Vincas Dargis vindrg at gmail.com
Tue Jan 23 17:55:09 UTC 2018

On 1/22/18 10:31 PM, Andreas Beckmann wrote:
> On 2018-01-22 20:39, Vincas Dargis wrote:
>> It looks like some shared code actually wanted to create $HOME + / + .nv
>> directory, though accidentally skipped a slash.
> Some nvidia driver components use ~/.nv/ as temporary storage, sounds
> like something expects $HOME to contain a trailing slash ... probably
> harmless without apparmor ...

Yep, kinda harmless as such (can be set to ignore on AppArmor with `deny` rule), but might be good fixing it if that 
breaks caching behaviour or whatever.

> Do you have XDG_CACHE_HOME set in the environment? (That's an
> alternative location where to place the .nv directory.) Does it have a
> trailing slash?

No, it's not set:

$ env | fgrep XDG_

> Is the problem reproducible with something like glxinfo/glxgears? That
> would simplify debugging.

I could reproduce it _only after creating AppArmor profile_ for glxgears.

And after some experimenting, it seems that if there is a rule:

owner /tmp/.gl* mrw,

It works OK without trying to create `user.nv` directory.

But if I remove 'm', meaning AppArmor will not allow to mmap() _for execution_, like this:

owner /tmp/.gl* rw,

Same DENIED log message hits, also visible via sysdig:

$ sudo sysdig "proc.name=glxgears and evt.args contains vincas.nv"
357922 19:43:11.404657834 4 glxgears (16962) < mkdir res=-13(EACCES) path=/home/vincas.nv

When 'm' is allowed, I actually can see that it's being mmap'ed with PROT_EXEC. This is kinda off-topic, but why?

146765 19:31:41.363130865 1 glxgears (15280) > fstat fd=14(<f>/tmp/.glEwKU3e)
146781 19:31:41.363143600 1 glxgears (15280) > mmap addr=0 length=8192 prot=5(PROT_READ|PROT_EXEC) 
flags=17(MAP_SHARED|MAP_32BIT) fd=14(<f>/tmp/.glEwKU3e) offset=0
146792 19:31:41.363152648 1 glxgears (15280) > mmap addr=0 length=8192 prot=3(PROT_READ|PROT_WRITE) flags=1(MAP_SHARED) 
fd=14(<f>/tmp/.glEwKU3e) offset=0
146798 19:31:41.363156709 1 glxgears (15280) > close fd=14(<f>/tmp/.glEwKU3e)

Basically, if AppArmor profile does not allow to mmap() /tmp/.glEwKU3e files for execution (which is sensible thing to 
do), some NVIDIA driver part _probably_ hits some code path with a bug that tries to create /home/user.nv/ directory in 
response to that?

Again, there is no such problems if I run it on Intel, without `optirun`.

> Anyway, please consider reporting this directly to NVIDIA, since we
> cannot fix bugs in the binary components at all ...
> See README.Debian in the driver for details.

Yeah, I'll report bug that they try to mmap() temporary user-writable files with PROT_EXEC, and still, `user.nv` seems 
like a bug in that strange.. "use case".


For the record, I've attached AppArmor profile for glxgears I've used for for testing. To use it:

sudo cp usr.bin.glxgears /etc/apparmor.d/
sudo systemctl restart apparmor

Running glxgears afterwards should not produce DENIED events in kernel/audit log.

Later, `owner /tmp/.gl* mrw,` rule cane be changed into `owner /tmp/.gl* rw,` ('m' removed), and after:

sudo systemctl restart apparmor

running glxgears (via optirun if needed to hit NVIDIA) should produce DENIED event, and similar sysdig output.
-------------- next part --------------
# Last Modified: Tue Jan 23 19:01:05 2018
#include <tunables/global>

/usr/bin/glxgears {
  #include <abstractions/X>
  #include <abstractions/base>
  #include <abstractions/nvidia>

  # Main executable
  /usr/bin/glxgears mr,

  # System files
  /dev/dri/ r,
  /proc/driver/nvidia/params r,
  /proc/modules r,
  /sys/devices/pci[0-9]*/**/{device,subsystem,subsystem_device,subsystem_vendor,uevent,vendor} r, # libdrm
  /usr/lib/@{multiarch}/ld-*.so mr,
  # User files
  owner /tmp/#[0-9]* rw, # Also tries to mmap for execution!? although works without allowing it.
  owner /tmp/.gl* mrw, # Remove 'm' to reproduce attempt to create /home/$user.nv/ directory
  owner @{HOME}/#[0-9]* rw, # Also tries to mmap for execution!? although works without allowing it.
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.nv/{,**/} w, # Allow to create ~/.nv directory tree if missing
  owner @{HOME}/.nv/GLCache/ r,
  owner @{HOME}/.nv/GLCache/**.toc rwk,

More information about the pkg-nvidia-devel mailing list