# vim:syntax=apparmor
# OpenCL access requirements for POCL implementation
abi <abi/3.0>,
include <abstractions/opencl-common>
# Executables
/usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
# System files
/ r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files
owner @{HOME}/.cache/pocl/ w,
owner @{HOME}/.cache/pocl/kcache/ w,
owner @{HOME}/.cache/pocl/kcache/** rw,
owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
# Child profiles
profile opencl_pocl_ld {
include <abstractions/base>
# Main executables
/usr/bin/{,@{multiarch}-}ld.bfd mr,
# User files
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
owner @{HOME}/.cache/pocl/kcache/**.so.o r,
}
profile opencl_pocl_clang {
include <abstractions/base>
# Main executables
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
# Additional executables
/usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
# System files
/etc/debian-version r,
/etc/lsb-release r,
# User files
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
}
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| apparmor_api | Folder | 0755 |
|
|
| ubuntu-browsers.d | Folder | 0755 |
|
|
| X | File | 1.94 KB | 0644 |
|
| apache2-common | File | 978 B | 0644 |
|
| aspell | File | 412 B | 0644 |
|
| audio | File | 1.94 KB | 0644 |
|
| authentication | File | 1.81 KB | 0644 |
|
| base | File | 6.77 KB | 0644 |
|
| bash | File | 1.58 KB | 0644 |
|
| consoles | File | 903 B | 0644 |
|
| crypto | File | 809 B | 0644 |
|
| cups-client | File | 820 B | 0644 |
|
| dbus | File | 694 B | 0644 |
|
| dbus-accessibility | File | 745 B | 0644 |
|
| dbus-accessibility-strict | File | 760 B | 0644 |
|
| dbus-network-manager-strict | File | 1.37 KB | 0644 |
|
| dbus-session | File | 747 B | 0644 |
|
| dbus-session-strict | File | 1010 B | 0644 |
|
| dbus-strict | File | 781 B | 0644 |
|
| dconf | File | 344 B | 0644 |
|
| dovecot-common | File | 675 B | 0644 |
|
| dri-common | File | 542 B | 0644 |
|
| dri-enumerate | File | 392 B | 0644 |
|
| enchant | File | 2.17 KB | 0644 |
|
| exo-open | File | 1.88 KB | 0644 |
|
| fcitx | File | 558 B | 0644 |
|
| fcitx-strict | File | 821 B | 0644 |
|
| fonts | File | 2.22 KB | 0644 |
|
| freedesktop.org | File | 1.37 KB | 0644 |
|
| gio-open | File | 1.51 KB | 0644 |
|
| gnome | File | 3.73 KB | 0644 |
|
| gnupg | File | 459 B | 0644 |
|
| gtk | File | 1.42 KB | 0644 |
|
| gvfs-open | File | 1.15 KB | 0644 |
|
| hosts_access | File | 511 B | 0644 |
|
| ibus | File | 992 B | 0644 |
|
| kde | File | 2.8 KB | 0644 |
|
| kde-globals-write | File | 413 B | 0644 |
|
| kde-icon-cache-write | File | 256 B | 0644 |
|
| kde-language-write | File | 575 B | 0644 |
|
| kde-open5 | File | 3.61 KB | 0644 |
|
| kerberosclient | File | 1.25 KB | 0644 |
|
| ldapclient | File | 856 B | 0644 |
|
| libpam-systemd | File | 770 B | 0644 |
|
| likewise | File | 595 B | 0644 |
|
| mdns | File | 554 B | 0644 |
|
| mesa | File | 1.16 KB | 0644 |
|
| mir | File | 694 B | 0644 |
|
| mozc | File | 573 B | 0644 |
|
| mysql | File | 739 B | 0644 |
|
| nameservice | File | 4.29 KB | 0644 |
|
| nis | File | 625 B | 0644 |
|
| nss-systemd | File | 1.22 KB | 0644 |
|
| nvidia | File | 751 B | 0644 |
|
| opencl | File | 370 B | 0644 |
|
| opencl-common | File | 516 B | 0644 |
|
| opencl-intel | File | 672 B | 0644 |
|
| opencl-mesa | File | 636 B | 0644 |
|
| opencl-nvidia | File | 895 B | 0644 |
|
| opencl-pocl | File | 2.84 KB | 0644 |
|
| openssl | File | 648 B | 0644 |
|
| orbit2 | File | 197 B | 0644 |
|
| p11-kit | File | 999 B | 0644 |
|
| perl | File | 974 B | 0644 |
|
| php | File | 1.13 KB | 0644 |
|
| php-worker | File | 558 B | 0644 |
|
| php5 | File | 208 B | 0644 |
|
| postfix-common | File | 1.32 KB | 0644 |
|
| private-files | File | 1.62 KB | 0644 |
|
| private-files-strict | File | 1.18 KB | 0644 |
|
| python | File | 1.82 KB | 0644 |
|
| qt5 | File | 863 B | 0644 |
|
| qt5-compose-cache-write | File | 399 B | 0644 |
|
| qt5-settings-write | File | 514 B | 0644 |
|
| recent-documents-write | File | 466 B | 0644 |
|
| ruby | File | 1008 B | 0644 |
|
| samba | File | 1.13 KB | 0644 |
|
| smbpass | File | 581 B | 0644 |
|
| snap_browsers | File | 1.63 KB | 0644 |
|
| ssl_certs | File | 1.52 KB | 0644 |
|
| ssl_keys | File | 938 B | 0644 |
|
| svn-repositories | File | 1.72 KB | 0644 |
|
| ubuntu-bittorrent-clients | File | 821 B | 0644 |
|
| ubuntu-browsers | File | 1.58 KB | 0644 |
|
| ubuntu-console-browsers | File | 731 B | 0644 |
|
| ubuntu-console-email | File | 718 B | 0644 |
|
| ubuntu-email | File | 1.06 KB | 0644 |
|
| ubuntu-feed-readers | File | 456 B | 0644 |
|
| ubuntu-gnome-terminal | File | 300 B | 0644 |
|
| ubuntu-helpers | File | 3.7 KB | 0644 |
|
| ubuntu-konsole | File | 453 B | 0644 |
|
| ubuntu-media-players | File | 2.3 KB | 0644 |
|
| ubuntu-unity7-base | File | 2.5 KB | 0644 |
|
| ubuntu-unity7-launcher | File | 311 B | 0644 |
|
| ubuntu-unity7-messaging | File | 313 B | 0644 |
|
| ubuntu-xterm | File | 346 B | 0644 |
|
| user-download | File | 987 B | 0644 |
|
| user-mail | File | 944 B | 0644 |
|
| user-manpages | File | 1000 B | 0644 |
|
| user-tmp | File | 760 B | 0644 |
|
| user-write | File | 972 B | 0644 |
|
| video | File | 231 B | 0644 |
|
| vulkan | File | 1.06 KB | 0644 |
|
| wayland | File | 645 B | 0644 |
|
| web-data | File | 811 B | 0644 |
|
| winbind | File | 882 B | 0644 |
|
| wutmp | File | 711 B | 0644 |
|
| xad | File | 984 B | 0644 |
|
| xdg-desktop | File | 782 B | 0644 |
|
| xdg-open | File | 2.23 KB | 0644 |
|