github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/interfaces/builtin/opengl.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const openglSummary = `allows access to OpenGL stack` 23 24 const openglBaseDeclarationSlots = ` 25 opengl: 26 allow-installation: 27 slot-snap-type: 28 - core 29 ` 30 31 const openglConnectedPlugAppArmor = ` 32 # Description: Can access opengl. 33 34 # specific gl libs 35 /var/lib/snapd/lib/gl{,32}/ r, 36 /var/lib/snapd/lib/gl{,32}/** rm, 37 38 # Bi-arch distribution nvidia support 39 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuda*.so{,.*} rm, 40 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvidia*.so{,.*} rm, 41 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvoptix*.so{,.*} rm, 42 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}tls/libnvidia*.so{,.*} rm, 43 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvcuvid.so{,.*} rm, 44 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,GLESv1_CM,GLESv2,EGL}*nvidia.so{,.*} rm, 45 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libGLdispatch.so{,.*} rm, 46 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}vdpau/libvdpau_nvidia.so{,.*} rm, 47 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnv{rm,dc,imp,os}*.so{,.*} rm, 48 # CUDA libs 49 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnpp{c,ig,ial,icc,idei,ist,if,im,itc}*.so{,.*} rm, 50 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcublas{,Lt}*.so{,.*} rm, 51 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcufft.so{,.*} rm, 52 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcusolver.so{,.*} rm, 53 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuparse.so{,.*} rm, 54 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcurand.so{,.*} rm, 55 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcudnn{,_adv_infer,_adv_train,_cnn_infer,_cnn_train,_ops_infer,_ops_train}*.so{,.*} rm, 56 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvrtc{,-builtins}*.so{,.*} rm, 57 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvToolsExt.so{,.*} rm, 58 59 # Support reading the Vulkan ICD files 60 /var/lib/snapd/lib/vulkan/ r, 61 /var/lib/snapd/lib/vulkan/** r, 62 /var/lib/snapd/hostfs/usr/share/vulkan/icd.d/*nvidia*.json r, 63 64 # Support reading the GLVND EGL vendor files 65 /var/lib/snapd/lib/glvnd/ r, 66 /var/lib/snapd/lib/glvnd/** r, 67 /var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/ r, 68 /var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/*nvidia*.json r, 69 70 # Support Nvidia EGL external platform 71 /var/lib/snapd/hostfs/usr/share/egl/egl_external_platform.d/ r, 72 /var/lib/snapd/hostfs/usr/share/egl/egl_external_platform.d/*nvidia*.json r, 73 74 # Main bi-arch GL libraries 75 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{GL,GLU,GLESv1_CM,GLESv2,EGL,GLX}.so{,.*} rm, 76 77 # Allow access to all cards since a) this is common on hybrid systems, b) ARM 78 # devices commonly have two devices (such as on the Raspberry Pi 4, one for KMS 79 # and another that does not) and c) there is nothing saying that /dev/dri/card0 80 # is the default card or the application is currently using. 81 /dev/dri/ r, 82 /dev/dri/card[0-9]* rw, 83 84 # nvidia 85 /etc/vdpau_wrapper.cfg r, 86 @{PROC}/driver/nvidia/params r, 87 @{PROC}/modules r, 88 /dev/nvidia* rw, 89 unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"), 90 91 # VideoCore/EGL (shared device with VideoCore camera) 92 /dev/vchiq rw, 93 # VideoCore Video decoding (required for accelerated MMAL video playback) 94 /dev/vcsm-cma rw, 95 96 # va-api 97 /dev/dri/renderD[0-9]* rw, 98 99 # cuda 100 @{PROC}/sys/vm/mmap_min_addr r, 101 @{PROC}/devices r, 102 /sys/devices/system/memory/block_size_bytes r, 103 /sys/module/tegra_fuse/parameters/tegra_* r, 104 unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*", 105 /{dev,run}/shm/cuda.* rw, 106 /dev/nvhost-* rw, 107 /dev/nvmap rw, 108 109 # Tegra display driver 110 /dev/tegra_dc_ctrl rw, 111 /dev/tegra_dc_[0-9]* rw, 112 113 # Xilinx zocl DRM driver 114 # https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm 115 /sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r, 116 117 # Imagination PowerVR driver 118 /dev/pvr_sync rw, 119 120 # OpenCL ICD files 121 /etc/OpenCL/vendors/ r, 122 /etc/OpenCL/vendors/** r, 123 124 # Parallels guest tools 3D acceleration (video toolgate) 125 @{PROC}/driver/prl_vtg rw, 126 127 # /sys/devices 128 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/config r, 129 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/revision r, 130 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}class r, 131 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}device r, 132 /sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}vendor r, 133 /sys/devices/**/drm{,_dp_aux_dev}/** r, 134 135 # FIXME: this is an information leak and snapd should instead query udev for 136 # the specific accesses associated with the above devices. 137 /sys/bus/pci/devices/ r, 138 /sys/bus/platform/devices/soc:gpu/ r, 139 /run/udev/data/+drm:card* r, 140 /run/udev/data/+pci:[0-9a-f]* r, 141 /run/udev/data/+platform:soc:gpu* r, 142 143 # FIXME: for each device in /dev that this policy references, lookup the 144 # device type, major and minor and create rules of this form: 145 # /run/udev/data/<type><major>:<minor> r, 146 # For now, allow 'c'haracter devices and 'b'lock devices based on 147 # https://www.kernel.org/doc/Documentation/devices.txt 148 /run/udev/data/c226:[0-9]* r, # 226 drm 149 150 # From https://bugs.launchpad.net/snapd/+bug/1862832 151 /run/nvidia-xdriver-* rw, 152 unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), 153 ` 154 155 // Some nvidia modules don't use sysfs (therefore they can't be udev tagged) and 156 // will be added by snap-confine. 157 var openglConnectedPlugUDev = []string{ 158 `SUBSYSTEM=="drm", KERNEL=="card[0-9]*"`, 159 `KERNEL=="vchiq"`, 160 `KERNEL=="vcsm-cma"`, 161 `KERNEL=="renderD[0-9]*"`, 162 `KERNEL=="nvhost-*"`, 163 `KERNEL=="nvmap"`, 164 `KERNEL=="tegra_dc_ctrl"`, 165 `KERNEL=="tegra_dc_[0-9]*"`, 166 `KERNEL=="pvr_sync"`, 167 } 168 169 func init() { 170 registerIface(&commonInterface{ 171 name: "opengl", 172 summary: openglSummary, 173 implicitOnCore: true, 174 implicitOnClassic: true, 175 baseDeclarationSlots: openglBaseDeclarationSlots, 176 connectedPlugAppArmor: openglConnectedPlugAppArmor, 177 connectedPlugUDev: openglConnectedPlugUDev, 178 }) 179 }