Hi Seth
First of; I'm sorry for such a long time without answer, but I was doing
some tests; over and over again. I mean WebGL issue and AppArmor DENIED
messages for "/home/user/.nv/" folder etc.
First things first; a few months ago, I've decided to disable WebGL, in
order to reduce some attack surface and because of a security issues
related with this new web standard* etc. It seems, that one - major - risk
is that WebGL involves running code directly on the video card. Supposedly,
US-CERT recommends to turn off WebGL in the browsers that do support it.
However, web browsers uses some defenses against the security risks (i.e.
by blacklisted video cards with known security problems and so on.) I used
'about:config' feature to set "webgl.disabled" to "true" and also set
"webgl.force-enabled" to "false".
Anyway, in both cases: with WebGL enabled (and "browsing to awebsite that
uses webgl" - just as You've asked) and disabled, the first Firefox
starts/open produces an AppArmor entries in log files, such as
'/var/log/kern.log' and '/var/log/syslog'. And It happens all the time.
Some of them:
__WebGL DISABLED__:
Jan 21 15:36:47 t4 kernel: [10807.619649] type=1400
audit(1485009407.842:52): apparmor="DENIED" operation="file_mmap"
parent=3260 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/user1/.nv/gl9IYD2K" pid=3263 comm="firefox" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
__WebGL ENABLED__:
Jan 25 12:15:29 t4 kernel: [ 668.442681] type=1400
audit(1485342929.669:51): apparmor="DENIED" operation="file_mmap"
parent=2823 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/user1/.nv/gl5e8uFU" pid=2826 comm="firefox" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Of course, there are much more such entries - after every Firefox first
start. As you have noticed: "the filename feels like a random name". Maybe
a new Firefox version - 51.0 - will introduce any changes? Mozilla has
released this version yesterday; on 24 Jan, but update is not available
yet. This version adds support for FLAC playback and WebGL 2 **.
In turn, <abstractions/nvidia> file, on my system, looks this way
(completely different than your.):
# vim:syntax=apparmor
# nvidia access requirements
# configuration queries
capability ipc_lock,
# device files
/dev/nvidia0 rw,
/dev/nvidiactl rw,
/proc/interrupts r,
/proc/sys/vm/max_map_count r,
So, the question is: what should I do in such situation? Add a new rule to
the Firefox profile or just use <abstractions/nvidia> file? Here are some
informations about my graphics card, driver version etc.:
nvidia-304: 304.134-0ubuntu0.12.04.1
lspci(8): VGA compatible controller: NVIDIA Corporation C73 [GeForce 7100 /
nForce 630i]
I hope, that this message will be helpful.
Best regards.
_____________
*
https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
** https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
