[apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.
Seth Arnold
seth.arnold at canonical.com
Thu Jan 19 19:40:58 UTC 2017
On Thu, Jan 19, 2017 at 02:13:02PM +0100, daniel curtis wrote:
> Jan 19 11:37:46 t4 kernel: [ 202.713770] type=1400
> audit(1484822266.943:53): apparmor="DENIED" operation="file_mmap"
> parent=2484 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/home/user1/.nv/glqw5sPH" pid=2487 comm="firefox" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
>
> I would like to ask about AppArmor rule for this one. This folder - .nv -
> is empty. Should I use something like this:
>
> @{HOME}/.nv/* rmk,
>
> What is your opinion? And what about an "owner" prefix; it is needed here?
> I've never seen something like this one before. I mean access to the ".nv"
> folder etc. There are also: ".nvidia/" (which is directory) and
> ".nvidia-settings.rc" (an ASCII text).
Hi Daniel, would you do me a favor and keep an eye on this? The filename
feels like a random name, but maybe 'gl' has special meaning. Opening and
closing Firefox several times, or opening, closing, then browsing to a
website that uses webgl, or something similar, may be required to trigger
multiple such DENIED messages.
This changelog[1] includes mentions that ~/.nv/ would be used for drivers, so
the directory is expected -- but the <abstractions/nvidia> file on my
system only includes some more-specific paths:
owner @{HOME}/.nv/GLCache/ r,
owner @{HOME}/.nv/GLCache/** rwk,
Perhaps the abstraction needs to be updated.
Thanks
1; https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/+changelog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170119/7c728862/attachment.pgp>
More information about the AppArmor
mailing list