From 170575fbff343a6c376bbebb9acac171ffbba3b6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 13 Sep 2025 00:40:54 +0200
Subject: [PATCH] feat(abs): ensure graphics devices are in nvidia-strict.

---
 apparmor.d/abstractions/graphics-full |  6 ------
 apparmor.d/abstractions/nvidia-strict | 18 +++++++++++++-----
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full
index 1e2c97224..de5f865b5 100644
--- a/apparmor.d/abstractions/graphics-full
+++ b/apparmor.d/abstractions/graphics-full
@@ -8,13 +8,7 @@
   include <abstractions/graphics>
   include <abstractions/oneapi>
 
-  @{sys}/devices/@{pci}/numa_node r,
-
-  @{PROC}/devices r,
-
   /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
-  /dev/nvidia-uvm rw,
-  /dev/nvidia-uvm-tools rw,
 
   include if exists <abstractions/graphics-full.d>
 
diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict
index 8fd78a702..a14691a9c 100644
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@@ -6,7 +6,7 @@
 
   @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,
 
-  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr,
+  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr,
 
   /usr/share/nvidia/nvidia-application-profiles-* r,
 
@@ -24,13 +24,17 @@
   owner @{user_cache_dirs}/nvidia/GLCache/ rw,
   owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
 
+  @{sys}/devices/@{pci}/numa_node r,
   @{sys}/devices/system/memory/block_size_bytes r,
   @{sys}/module/nvidia/version r,
 
-        @{PROC}/driver/nvidia/params r,
-        @{PROC}/modules r,
-        @{PROC}/sys/vm/max_map_count r,
-        @{PROC}/sys/vm/mmap_min_addr r,
+  @{PROC}/driver/nvidia/capabilities/mig/monitor r,
+  @{PROC}/driver/nvidia/gpus/@{pci_id}/information r,
+  @{PROC}/driver/nvidia/params r,
+  @{PROC}/modules r,
+  @{PROC}/sys/vm/max_map_count r,
+  @{PROC}/sys/vm/mmap_min_addr r,
+
         @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/task/@{tid}/comm r,
@@ -43,6 +47,10 @@
   # Nvidia graphics devices
   /dev/nvidia@{int} rw,
 
+  # Nvidia's Unified Memory driver
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+
   # Nvidia's control device
   /dev/nvidiactl rw,