Firefox-4.0: AppArmor blocks access to nvidia devices

Bug #712584 reported by tlu
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Wishlist
Jamie Strandboge

Bug Description

Binary package hint: apparmor

with Firefox 4.0 (currently b12 from the ppa but it happened also with previous betas) on Ubuntu 10.10 I'm getting AppArmor error messages like:

type=1400 audit(1296725581.050:58): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-4.0-4.0b12prefirefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2996 comm="firefox-4.0-bin" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

on certain websites, e.g., http://bodybrowser.googlelabs.com. On that website the images were not displayed until I added

/dev/nvidiactl rw,
/dev/nvidia0 rw,

to the usr.bin.firefox-4.0 profile.

Since I cannot imagine that this is specific to my system (I guess it has something to do with hardware acceleration, and a similar problem might exist for AMD cards) I suggest to add this to that profile by default.

Note that after adding above lines to the profile I still got errors like:

type=1400 audit(1296749585.779:69): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-4.0-4.0b12pre/firefox{,*[^s][^h]}" name="/proc/interrupts" pid=3035 comm="firefox-4.0-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

although I couldn't notice any further problems. Nevertheless it might make sense to also add

/proc/interrupts r,

to the profile.

Tags: apparmor
Revision history for this message
tlu (thomas-ludwig-gmx) wrote :

This issue is not yet fixed in the apparmor profile for FF 4.0 b13.

Revision history for this message
Brian Vaughan (bgvaughan) wrote :

I was getting alerts, via apparmor-notify, almost identical to the ones described here, although I am using Firefox 3.6.13, when I visited various websites, although I didn't notice any missing graphics. That may be because the graphics were web ads, which I am blocking via Adblocker Plus. This is a recent change -- I only started getting such alerts a few weeks ago.

I added to /etc/apparmor.d/local/usr.bin.firefox the following:
/dev/nvidactl rw,
/dev/nvidia0 rw,
/proc/interrupts r,

and that seems to have stopped the alerts. As in the original description, I started with the first two, and only then got the /proc/interrupts error, so I added it as well.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Brian's comment in #2 is the correct way to workaround this bug if you want to give firefox read/write access to the nvidia devices. It makes me rather uncomfortable to add these devices to the default profile however.

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
summary: - Firefox-4.0: AppArmor errors on certain websites
+ Firefox-4.0: AppArmor blocks access to nvidia devices
Revision history for this message
tlu (thomas-ludwig-gmx) wrote :

Jamie, why don't you want to add these devices? I mean most Nvidia card users should be affected by this problem. But not all of them are able to debug AppArmor and to edit the related profile - they would probably chose to NOT use this FF profile at all. I'm not sure if that's really what we want. And adding these devices would not open a new security hole (compared to not using the profile) as anybody has read/write permission for these files anyhow.

So quite frankly I don't really understand your rationale.

Revision history for this message
tlu (thomas-ludwig-gmx) wrote :

Or, as a general question: Why don't add rules that don't "hurt" but improve the acceptance of AppArmor?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I think the way to solve this is for either apparmor or firefox to ship /etc/apparmor.d/abstractions/ubuntu-browsers.d/nvidia with the 3 needed entries:
  /dev/nvidactl rw,
  /dev/nvidia0 rw,
  /proc/interrupts r,

Then have the firefox.postinst.in have the following line when creating /etc/apparmor.d/abstractions/ubuntu-browsers.d/$APPNAME (this will have to be conditionally added if this include file is shipped in apparmor):
#include <abstractions/ubuntu-browsers.d/nvidia

This will make it so that new installs will get the nvidia abstraction, but people can opt out of it using 'aa-update-browser'.

Changed in apparmor (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
Revision history for this message
Sami Mäkinen (sami-makinen-helsinki) wrote :

This issue is not restricted to FF4, as also noted above.

The issue is still present on Ubuntu 11.04 and Firefox 7.

With AppArmor loaded and enabled, with default settings, I cannot view WebGL demos.

WebGL is a very exciting new technology, and Ubuntu should do all in its power to help this technology become commonplace and naturally "it should just work" with defaults.

I don't think this should be a wishlist item. This is a bug because the default configuration breaks features that the average user would like to have, and the average user will not be able to fix the problem.

Revision history for this message
tlu (thomas-ludwig-gmx) wrote :

@Sami Mäkinen: Fully ACK. It seems that AppArmor doesn't have a high priority for Ubuntu developers. It's time to think about moving to, e.g., Tomoyo.

tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I think that people should step back and realize that WebGL does work in the default install of Ubuntu. The AppArmor profile is opt-in and there are instructions in this bug on how to adjust the policy for nvidia.

When developing policy, giving firefox access to a device such as a video card should not be done rashly. That said, we will probably do something like I said in comment #6 for 12.04.

In the meantime, to be perfectly clear on how to make this work, add to /etc/apparmor.d/local/usr.bin.firefox the following:
/dev/nvidactl rw,
/dev/nvidia0 rw,
/proc/interrupts r,

Then run:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

Changed in apparmor (Ubuntu):
milestone: none → later
Changed in apparmor (Ubuntu):
assignee: Micah Gersten (micahg) → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...

Read more...

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.