Linux on MacBook Air with NVIDIA drivers

In order to use the proprietary NVIDIA driver on a MacBook Air 3,1 (11-inch, late 2010) with the NVIDIA GeForce 320M chipset booting openSUSE Leap 42.1 in EFI mode, create the file /etc/grub.d/01_enable_vga.conf with the following content:

set -e

# Initialize the PCI-E registers of MBA 3,1 for the nvidia driver

cat << EOF
btrfs-mount-subvol /dev/sda3 /boot/grub2/x86_64-efi /@/boot/grub2/x86_64-efi
insmod setpci
setpci -s "00:17.0" 3e.b=8
setpci -s "02:00.0" 04.b=7

and run grub2-mkconfig -o /boot/grub2/grub.cfg to update the bootloader configuration. Be aware that you might need to determine the PCI bus ids for your machine first by running lshw -businfo -class bridge -class display as described in this post on askubuntu. (Please note that using only the setpci command as suggested in that post for Ubuntu systems does not suffice on openSUSE systems, because on this system the setpci functionality is provided as a separate GRUB module and must be loaded explicitly with the insmod command; since the GRUB modules are not installed on the boot partition, their location has to be mounted first using the btrfs-mount-subvol command.)

Reboot and verify that the settings have actually been applied by running the setpci command on the command line as root without the part after the equal sign (e.g. setpci -s "00:17.0" 3e.b). This should return the values assigned before, i.e. 8 or 7 respectively.

Then proceed installing the nvidia driver by choosing the appropriate package on the openSUSE Community website. In my case (NVIDIA GeForce 320M), that means choosing the „Geforce 8 series and later“ option.


Ever since I upgraded my notebook with a SSD, I was looking for a way to minimise or avoid unnecessary write accesses. The tools of choice (on Linux at least) are iostat for a rough summary and pidstat for the details. With the help of those two one can easily figure out which processes are responsible for write accesses.

Once a writing process is identified, lsof can tell you which files are actually written. Depending on what you want to achieve, you can then continue to relocate that file to a different disk (e.g. if you have two disks and want one of them to sleep most of the time) or to memory (using tmpfs). The latter obviously means that the written data will be lost at the next reboot, but sometimes this is perfectly fine e.g. for the files inside /tmp. Therefore, it is generally a good idea to move that directory into volatile memory following the instructions on the openSUSE Wiki.

All good and well if you actually manage to relocate or move a file. Often file locations are a matter of configuration and otherwise you can help yourself with dynamic links. But there was one very special file on my openSUSE 11.4 installation that withstood all my assaults for quiet some time. I’m speaking of a beast called .xsession-errors residing in your $HOME directory. Created by KDM, one would expect to be able to configure the location of that file. Indeed, there is a configuration option called ClientLogFile specifically for that purpose. Unfortunately this is only the first and easier of two necessary steps:

  1. As root open your /usr/share/kde4/config/kdm/kdmrc, go to a section labelled [X-:0-Core] (there may be multiple of those, but don’t worry and just pick the last one) and add the following line:

    This will move the file into the /tmp directory. Mind the path relative to $HOME.

  2. Now the hidden piece: again as root open your /etc/X11/xdm/Xsession and make the following changes (I deliberately use the patch syntax here i.e. remove lines with a minus sign and add those with a plus sign):
    --- Xsession.old        2011-05-01 19:46:40.000000000 +0200
    +++ Xsession    2011-05-02 22:18:39.000000000 +0200
    @@ -123,8 +123,8 @@
         # GDM seems to handle this its self
         test -z "$GDMSESSION" || break
    -    # Once if KDM does handle this its self
    -    #test -z "$KDMSESSION" || break
    +    # KDM handles this itself
    +    test -z "$KDE_SESSION_VERSION" || break
         # Avoid bad symbolic links
         case "$errfile" in

Done; logout, restart KDM, re-login and check if the xsession-errors* exists at the new location. If so, remove your old one and cheer to a long living SSD. Only, of course, if the new location is not on your SSD, but e.g. in memory. It doesn’t hurt to re-check with pidstat.

Secure Firefox with AppArmor

To „lock down“ Firefox on an openSUSE 11.3 machine, I used the four AppArmor profiles you find below. The first is an openSUSE default profile and the second is based on the openSUSE default profile. My changes include support for PulseAudio sound and the Flash plugin, where the latter is realized with local profiles that are stronger confined than Firefox itself. Finally, I added permission for Zotero requirements.

# /etc/apparmor.d/


/usr/lib/firefox/ {

  deny capability sys_ptrace,

  /bin/basename rix,
  /bin/bash rix,
  /bin/grep rix,
  /etc/magic r,
  /usr/bin/file rix,
  /usr/lib/firefox/firefox px,
  /usr/share/misc/magic.mgc r,
# /etc/apparmor.d/usr.lib.firefox.firefox


/usr/lib/firefox/firefox {

  deny /usr/lib/firefox/ x,
  deny /usr/lib/mozilla/extensions/*/ w,

  /bin/bash ix,
  /bin/uname ix,

  /etc/gai.conf r,
  /etc/gnome-vfs-2.0/modules/ r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/mtab r,
  /etc/opt/kde3/share/applications/ r,
  /etc/opt/kde3/share/applications/mimeinfo.cache r,

  owner @{HOME}/.ICEauthority r,
  owner @{HOME}/.beagle/ToIndex/* rw,
  owner @{HOME}/.fontconfig/* r,
  owner @{HOME}/.icons/ r,
  owner @{HOME}/.local/share/applications/ r,
  owner @{HOME}/.local/share/applications/* r,
  owner @{HOME}/.local/share/mime/* r,
  owner @{HOME}/.mozilla/extensions/** rw,
  owner @{HOME}/.mozilla/firefox/** rw,
  owner @{HOME}/.mozilla/firefox/**.sqlite* k,
  owner @{HOME}/.mozilla/firefox/**/.parentlock k,

  /opt/kde3/share/applications/ r,
  /opt/kde3/share/applications/mimeinfo.cache r,

  owner @{PROC}/*/mounts r,
  owner @{PROC}/*/fd/ r,
  @{PROC}/meminfo r,
  @{PROC}/sys/kernel/ngroups_max r,

  /usr/bin/tr ix,
  /usr/bin/which ix,

  /usr/lib/**.so mr,
  /usr/lib/firefox/firefox rix,
  /usr/lib/libproxy/pxgconf ix,
  /usr/lib/nspluginwrapper/*/linux/npviewer rcx -> npviewer,
  /usr/lib/xulrunner-*/plugin-container cx -> plugin_container,

  /usr/local/share/applications/ r,
  /usr/local/share/applications/* r,
  /usr/share/applications/ r,
  /usr/share/applications/* r,
  /usr/share/gvfs/remote-volume-monitors/ r,
  /usr/share/gvfs/remote-volume-monitors/* r,
  /usr/share/locale-bundle/**.mo r,
  /usr/share/mime/**.xml r,
  /usr/share/mozilla/extensions/** r,
  /usr/share/myspell/* r,

  /var/cache/gio-2.0/defaults.list r,
  /var/cache/libx11/compose/* r,
  owner /var/run/gdm/*/database r,

  profile npviewer {

    /bin/bash rix,
    /bin/uname rix,
    /usr/bin/tr rix,
    /usr/bin/which rix,
    /usr/lib/nspluginwrapper/*/linux/npviewer.bin rix,

  profile plugin_container {

    deny /etc/passwd r,
    deny @{PROC}/uptime r,
    deny @{HOME}/.mozilla/firefox/profiles.ini r,

    /bin/bash ix,
    /bin/grep ix,
    /bin/ps ix,

    owner @{PROC}/*/fd/ r,
    owner @{PROC}/*/stat r,

    owner /var/run/gdm/*/database r,
    owner @{HOME}/.adobe/Flash_Player/**/ w,
    owner @{HOME}/.adobe/Flash_Player/AssetCache/ r,
    owner @{HOME}/.macromedia/Flash_Player/** rw,

  # Zotero-specific rules
  owner @{HOME}/.mozilla/firefox/*/zotero/pdfinfo-Linux-* cx -> zotero_tools,
  owner @{HOME}/.mozilla/firefox/*/zotero/pdftotext-Linux-* cx -> zotero_tools,
  owner @{HOME}/.zoteroIntegrationPipe rw,
  /usr/bin/evince Ux,
  /usr/bin/mkfifo ix,
  profile zotero_tools {

    owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/* r,
    owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/.zotero-ft-info w,
    owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/.zotero-ft-cache w,
# /etc/apparmor.d/abstractions/pulseaudio

/dev/shm/ r,
owner /dev/shm/pulse-shm-* rw,
/dev/snd/*      rw,

/etc/alsa-pulse.conf r,
/etc/asound-pulse.conf r,
/etc/pulse/client.conf r,

owner @{HOME}/.pulse-cookie rwk,

/usr/bin/pulseaudio px,

/usr/share/alsa/** r,
/usr/share/sounds/** r,

/var/lib/dbus/machine-id r,

# vim:syntax=apparmor
# /etc/apparmor.d/usr.bin.pulseaudio


/usr/bin/pulseaudio {