[apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

Seth Arnold seth.arnold at canonical.com
Wed Jan 25 19:45:36 UTC 2017 

On Wed, Jan 25, 2017 at 12:56:57PM +0100, daniel curtis wrote:
> First of; I'm sorry for such a long time without answer, but I was doing

Hi Daniel, this is quite fine. It was an imposition on my part to ask you
to gather more information, and that can only happen on your timeframe. :)

> name="/home/user1/.nv/gl9IYD2K" pid=3263 comm="firefox" requested_mask="m"
> name="/home/user1/.nv/gl5e8uFU" pid=2826 comm="firefox" requested_mask="m"

> Of course, there are much more such entries - after every Firefox first
> start. As you have noticed: "the filename feels like a random name". Maybe
> a new Firefox version - 51.0 - will introduce any changes? Mozilla has
> released this version yesterday; on 24 Jan, but update is not available
> yet. This version adds support for FLAC playback and WebGL 2 **.

Excellent. It appears that Firefox is probably using more advanced
hardware acceleration where it can regardless of the webgl use and the
filenames of the generated libraries do appear to follow a pattern.

> In turn, <abstractions/nvidia> file, on my system, looks this way
> (completely different than your.):
> 
> # vim:syntax=apparmor
> # nvidia access requirements
> 
>   # configuration queries
>   capability ipc_lock,
> 
>   # device files
>   /dev/nvidia0    rw,
>   /dev/nvidiactl  rw,
> 
>   /proc/interrupts r,
>   /proc/sys/vm/max_map_count r,
> 
> So, the question is: what should I do in such situation? Add a new rule to
> the Firefox profile or just use <abstractions/nvidia> file? Here are some
> informations about my graphics card, driver version etc.:
> 
> nvidia-304:  304.134-0ubuntu0.12.04.1
> lspci(8): VGA compatible controller: NVIDIA Corporation C73 [GeForce 7100 /
> nForce 630i]

In this case I think there's two changes to be made:

- add a new entry to abstractions/nvidia for this library:
  owner @{HOME}/.nv/gl* rwm,

  (Yes, this is more permissions than the logs indicate; my assumption
  here is that some aspect of using the library prepares these files on
  demand as they are needed, and probably tailored to the hardware that's
  available, so it'll need to be written before it can be mapped. I
  further assume some other rule in the firefox profile allows the
  necessary writing and probably necessary reading.)

- add an entry to the firefox profile to use this abstraction:
  #include <abstractions/nvidia>

Can you give these a try and report back results?

THanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170125/f1aa6b60/attachment.pgp>

More information about the AppArmor mailing list