feat(abs): ensure graphics devices are in nvidia-strict.

apparmor.d/abstractions/graphics-full

@@ -8,13 +8,7 @@
   include <abstractions/graphics>
   include <abstractions/oneapi>
 
-  @{sys}/devices/@{pci}/numa_node r,
-
-  @{PROC}/devices r,
-
   /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
-  /dev/nvidia-uvm rw,
-  /dev/nvidia-uvm-tools rw,
 
   include if exists <abstractions/graphics-full.d>
 

apparmor.d/abstractions/nvidia-strict

@@ -6,7 +6,7 @@
 
   @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,
 
-  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr,
+  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr,
 
   /usr/share/nvidia/nvidia-application-profiles-* r,
 
@@ -24,13 +24,17 @@
   owner @{user_cache_dirs}/nvidia/GLCache/ rw,
   owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
 
+  @{sys}/devices/@{pci}/numa_node r,
   @{sys}/devices/system/memory/block_size_bytes r,
   @{sys}/module/nvidia/version r,
 
-        @{PROC}/driver/nvidia/params r,
-        @{PROC}/modules r,
-        @{PROC}/sys/vm/max_map_count r,
-        @{PROC}/sys/vm/mmap_min_addr r,
+  @{PROC}/driver/nvidia/capabilities/mig/monitor r,
+  @{PROC}/driver/nvidia/gpus/@{pci_id}/information r,
+  @{PROC}/driver/nvidia/params r,
+  @{PROC}/modules r,
+  @{PROC}/sys/vm/max_map_count r,
+  @{PROC}/sys/vm/mmap_min_addr r,
+
         @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/task/@{tid}/comm r,
@@ -43,6 +47,10 @@
   # Nvidia graphics devices
   /dev/nvidia@{int} rw,
 
+  # Nvidia's Unified Memory driver
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+
   # Nvidia's control device
   /dev/nvidiactl rw,