Hi Seth First of; I'm sorry for such a long time without answer, but I was doing some tests; over and over again. I mean WebGL issue and AppArmor DENIED messages for "/home/user/.nv/" folder etc.
First things first; a few months ago, I've decided to disable WebGL, in order to reduce some attack surface and because of a security issues related with this new web standard* etc. It seems, that one - major - risk is that WebGL involves running code directly on the video card. Supposedly, US-CERT recommends to turn off WebGL in the browsers that do support it. However, web browsers uses some defenses against the security risks (i.e. by blacklisted video cards with known security problems and so on.) I used 'about:config' feature to set "webgl.disabled" to "true" and also set "webgl.force-enabled" to "false". Anyway, in both cases: with WebGL enabled (and "browsing to awebsite that uses webgl" - just as You've asked) and disabled, the first Firefox starts/open produces an AppArmor entries in log files, such as '/var/log/kern.log' and '/var/log/syslog'. And It happens all the time. Some of them: __WebGL DISABLED__: Jan 21 15:36:47 t4 kernel: [10807.619649] type=1400 audit(1485009407.842:52): apparmor="DENIED" operation="file_mmap" parent=3260 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/user1/.nv/gl9IYD2K" pid=3263 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 __WebGL ENABLED__: Jan 25 12:15:29 t4 kernel: [ 668.442681] type=1400 audit(1485342929.669:51): apparmor="DENIED" operation="file_mmap" parent=2823 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/user1/.nv/gl5e8uFU" pid=2826 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Of course, there are much more such entries - after every Firefox first start. As you have noticed: "the filename feels like a random name". Maybe a new Firefox version - 51.0 - will introduce any changes? Mozilla has released this version yesterday; on 24 Jan, but update is not available yet. This version adds support for FLAC playback and WebGL 2 **. In turn, <abstractions/nvidia> file, on my system, looks this way (completely different than your.): # vim:syntax=apparmor # nvidia access requirements # configuration queries capability ipc_lock, # device files /dev/nvidia0 rw, /dev/nvidiactl rw, /proc/interrupts r, /proc/sys/vm/max_map_count r, So, the question is: what should I do in such situation? Add a new rule to the Firefox profile or just use <abstractions/nvidia> file? Here are some informations about my graphics card, driver version etc.: nvidia-304: 304.134-0ubuntu0.12.04.1 lspci(8): VGA compatible controller: NVIDIA Corporation C73 [GeForce 7100 / nForce 630i] I hope, that this message will be helpful. Best regards. _____________ * https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ ** https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor