[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
This bug was fixed in the package apparmor - 2.7.0-0ubuntu1 --- apparmor (2.7.0-0ubuntu1) precise; urgency=low * New upstream release. Fixes the following: - LP: #794974 - LP: #815883 - LP: #840973 * Drop the following patches, included upstream: - af_names-generation.patch - 0004-adjust-logprof-log-search-order.patch - 0005-lp826914.patch - 0006-lp838275.patch - 0007-fix-introspection-tests.patch * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002 * debian/patches/0003-commits-through-r1882.patch: several bug, documentation and performance fixes on our road to AppArmor 2.8 (LP: #840734, LP: #905412) * debian/patches/0004-lp887992.patch: cups-client abstraction should allow owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions (LP: #887992) * update debian/patches/0001-add-chromium-browser.patch for deeper directories of /sys/devices/pci (LP: #885833) * debian/patches/0005-lp884748.patch: allow kate as text editor in the browsers abstraction (LP: #884748) * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access to ~/.fonts.conf.d (LP: #870992) * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py in the python abstraction, which is needed for apport hooks to work in python applications (LP: #860856) * debian/patches/0008-lp852062.patch: update binaries for transmission clients (LP: #852062) * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for Xubuntu and friends (LP: #851977) * debian/patches/0010-lp890894.patch: allow access to Thunar as well as thunar in ubuntu-integration abstraction (LP: #890894) * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile (LP: #817956) * debian/patches/0012-lp458922.patch: update dovecot deliver profile to access various .conf files for dovecot (LP: #458922) * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection (LP: #769148) * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv (LP: #904548) * debian/patches/0015-lp712584.patch: Nvidia users need access to /dev/nvidia* files for various plugins to work right. Since these are all focused around multimedia, add the acceses to the multimedia abstraction. (LP: #712584) * debian/patches/0016-lp562831.patch: allow fireclam plugin to work (LP: #562831) * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu integration browser abstraction (LP: #662906) * debian/patches/0018-deny-home-pki-so.patch: update private-files abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847) * debian/patches/0019-lp899963.patch: add audacity to the ubuntu-media-players abstraction (LP: #899963) * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit abstraction and add it to the authentication abstraction (LP: #912754) * debian/patches/0022-workaround-lp851986.patch: instead of using Ux in the ubuntu and launchpad abstractions, use a helper child profile. This will help work around the lack of environment filtering (LP: #851986) * debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng profile for dac_read_search * debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python and ruby autogeneration when using aa-autodep and aa-genprof * debian/patches/0025-lp914184.patch: allow the creation of enchant .config directory in the enchant abstraction (LP: #914184) * debian/patches/0026-lp914190.patch: block write access to ~/.kde/env because KDE automatically sources scripts in that folder on startup (LP: #914190) * debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and adjust gnome and kde abstractions to use it (LP: #914386) * debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel regression tests -- Jamie StrandbogeThu, 12 Jan 2012 12:55:17 +0100 ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
** Changed in: apparmor (Ubuntu) Status: Triaged => In Progress ** Changed in: apparmor (Ubuntu) Assignee: Micah Gersten (micahg) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
I think that people should step back and realize that WebGL does work in the default install of Ubuntu. The AppArmor profile is opt-in and there are instructions in this bug on how to adjust the policy for nvidia. When developing policy, giving firefox access to a device such as a video card should not be done rashly. That said, we will probably do something like I said in comment #6 for 12.04. In the meantime, to be perfectly clear on how to make this work, add to /etc/apparmor.d/local/usr.bin.firefox the following: /dev/nvidactl rw, /dev/nvidia0 rw, /proc/interrupts r, Then run: $ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox ** Changed in: apparmor (Ubuntu) Milestone: None => later -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
** Tags added: apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
@Sami Mäkinen: Fully ACK. It seems that AppArmor doesn't have a high priority for Ubuntu developers. It's time to think about moving to, e.g., Tomoyo. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
This issue is not restricted to FF4, as also noted above. The issue is still present on Ubuntu 11.04 and Firefox 7. With AppArmor loaded and enabled, with default settings, I cannot view WebGL demos. WebGL is a very exciting new technology, and Ubuntu should do all in its power to help this technology become commonplace and naturally "it should just work" with defaults. I don't think this should be a wishlist item. This is a bug because the default configuration breaks features that the average user would like to have, and the average user will not be able to fix the problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
I think the way to solve this is for either apparmor or firefox to ship /etc/apparmor.d/abstractions/ubuntu-browsers.d/nvidia with the 3 needed entries: /dev/nvidactl rw, /dev/nvidia0 rw, /proc/interrupts r, Then have the firefox.postinst.in have the following line when creating /etc/apparmor.d/abstractions/ubuntu-browsers.d/$APPNAME (this will have to be conditionally added if this include file is shipped in apparmor): #include Micah Gersten (micahg) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/712584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
Or, as a general question: Why don't add rules that don't "hurt" but improve the acceptance of AppArmor? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 712584] Re: Firefox-4.0: AppArmor blocks access to nvidia devices
Jamie, why don't you want to add these devices? I mean most Nvidia card users should be affected by this problem. But not all of them are able to debug AppArmor and to edit the related profile - they would probably chose to NOT use this FF profile at all. I'm not sure if that's really what we want. And adding these devices would not open a new security hole (compared to not using the profile) as anybody has read/write permission for these files anyhow. So quite frankly I don't really understand your rationale. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712584 Title: Firefox-4.0: AppArmor blocks access to nvidia devices -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs