github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/opengl.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const openglSummary = `allows access to OpenGL stack` 23 24 const openglBaseDeclarationSlots = ` 25 opengl: 26 allow-installation: 27 slot-snap-type: 28 - core 29 ` 30 31 const openglConnectedPlugAppArmor = ` 32 # Description: Can access opengl. 33 34 # specific gl libs 35 /var/lib/snapd/lib/gl{,32}/ r, 36 /var/lib/snapd/lib/gl{,32}/** rm, 37 38 # Bi-arch distribution nvidia support 39 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuda*.so{,.*} rm, 40 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvidia*.so{,.*} rm, 41 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvoptix*.so{,.*} rm, 42 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}tls/libnvidia*.so{,.*} rm, 43 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvcuvid.so{,.*} rm, 44 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,GLESv1_CM,GLESv2,EGL}*nvidia.so{,.*} rm, 45 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libGLdispatch.so{,.*} rm, 46 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}vdpau/libvdpau_nvidia.so{,.*} rm, 47 48 # Support reading the Vulkan ICD files 49 /var/lib/snapd/lib/vulkan/ r, 50 /var/lib/snapd/lib/vulkan/** r, 51 /var/lib/snapd/hostfs/usr/share/vulkan/icd.d/*nvidia*.json r, 52 53 # Support reading the GLVND EGL vendor files 54 /var/lib/snapd/lib/glvnd/ r, 55 /var/lib/snapd/lib/glvnd/** r, 56 /var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/*nvidia*.json r, 57 58 # Main bi-arch GL libraries 59 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{GL,GLU,GLESv1_CM,GLESv2,EGL,GLX}.so{,.*} rm, 60 61 # Allow access to all cards since a) this is common on hybrid systems, b) ARM 62 # devices commonly have two devices (such as on the Raspberry Pi 4, one for KMS 63 # and another that does not) and c) there is nothing saying that /dev/dri/card0 64 # is the default card or the application is currently using. 65 /dev/dri/ r, 66 /dev/dri/card[0-9]* rw, 67 68 # nvidia 69 /etc/vdpau_wrapper.cfg r, 70 @{PROC}/driver/nvidia/params r, 71 @{PROC}/modules r, 72 /dev/nvidia* rw, 73 unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"), 74 75 # VideoCore/EGL (shared device with VideoCore camera) 76 /dev/vchiq rw, 77 78 # va-api 79 /dev/dri/renderD[0-9]* rw, 80 81 # cuda 82 @{PROC}/sys/vm/mmap_min_addr r, 83 @{PROC}/devices r, 84 /sys/devices/system/memory/block_size_bytes r, 85 /sys/module/tegra_fuse/parameters/tegra_* r, 86 unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*", 87 /{dev,run}/shm/cuda.* rw, 88 /dev/nvhost-* rw, 89 /dev/nvmap rw, 90 91 # Tegra display driver 92 /dev/tegra_dc_ctrl rw, 93 /dev/tegra_dc_[0-9]* rw, 94 95 # OpenCL ICD files 96 /etc/OpenCL/vendors/ r, 97 /etc/OpenCL/vendors/** r, 98 99 # Parallels guest tools 3D acceleration (video toolgate) 100 @{PROC}/driver/prl_vtg rw, 101 102 # /sys/devices 103 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/config r, 104 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/revision r, 105 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}class r, 106 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}device r, 107 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}vendor r, 108 /sys/devices/**/drm{,_dp_aux_dev}/** r, 109 110 # FIXME: this is an information leak and snapd should instead query udev for 111 # the specific accesses associated with the above devices. 112 /sys/bus/pci/devices/ r, 113 /sys/bus/platform/devices/soc:gpu/ r, 114 /run/udev/data/+drm:card* r, 115 /run/udev/data/+pci:[0-9a-f]* r, 116 /run/udev/data/+platform:soc:gpu* r, 117 118 # FIXME: for each device in /dev that this policy references, lookup the 119 # device type, major and minor and create rules of this form: 120 # /run/udev/data/<type><major>:<minor> r, 121 # For now, allow 'c'haracter devices and 'b'lock devices based on 122 # https://www.kernel.org/doc/Documentation/devices.txt 123 /run/udev/data/c226:[0-9]* r, # 226 drm 124 125 # From https://bugs.launchpad.net/snapd/+bug/1862832 126 /run/nvidia-xdriver-* rw, 127 unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), 128 ` 129 130 // Some nvidia modules don't use sysfs (therefore they can't be udev tagged) and 131 // will be added by snap-confine. 132 var openglConnectedPlugUDev = []string{ 133 `SUBSYSTEM=="drm", KERNEL=="card[0-9]*"`, 134 `KERNEL=="vchiq"`, 135 `KERNEL=="renderD[0-9]*"`, 136 `KERNEL=="nvhost-*"`, 137 `KERNEL=="nvmap"`, 138 `KERNEL=="tegra_dc_ctrl"`, 139 `KERNEL=="tegra_dc_[0-9]*"`, 140 } 141 142 func init() { 143 registerIface(&commonInterface{ 144 name: "opengl", 145 summary: openglSummary, 146 implicitOnCore: true, 147 implicitOnClassic: true, 148 baseDeclarationSlots: openglBaseDeclarationSlots, 149 connectedPlugAppArmor: openglConnectedPlugAppArmor, 150 connectedPlugUDev: openglConnectedPlugUDev, 151 }) 152 }