Firefox-4.0: AppArmor blocks access to nvidia devices

This issue is not yet fixed in the apparmor profile for FF 4.0 b13.

I was getting alerts, via apparmor-notify, almost identical to the ones described here, although I am using Firefox 3.6.13, when I visited various websites, although I didn't notice any missing graphics. That may be because the graphics were web ads, which I am blocking via Adblocker Plus. This is a recent change -- I only started getting such alerts a few weeks ago.

I added to /etc/apparmor.d/local/usr.bin.firefox the following:
/dev/nvidactl rw,
/dev/nvidia0 rw,
/proc/interrupts r,

and that seems to have stopped the alerts. As in the original description, I started with the first two, and only then got the /proc/interrupts error, so I added it as well.

Brian's comment in #2 is the correct way to workaround this bug if you want to give firefox read/write access to the nvidia devices. It makes me rather uncomfortable to add these devices to the default profile however.

Jamie, why don't you want to add these devices? I mean most Nvidia card users should be affected by this problem. But not all of them are able to debug AppArmor and to edit the related profile - they would probably chose to NOT use this FF profile at all. I'm not sure if that's really what we want. And adding these devices would not open a new security hole (compared to not using the profile) as anybody has read/write permission for these files anyhow.

So quite frankly I don't really understand your rationale.

Or, as a general question: Why don't add rules that don't "hurt" but improve the acceptance of AppArmor?

I think the way to solve this is for either apparmor or firefox to ship /etc/apparmor.d/abstractions/ubuntu-browsers.d/nvidia with the 3 needed entries:
  /dev/nvidactl rw,
  /dev/nvidia0 rw,
  /proc/interrupts r,

Then have the firefox.postinst.in have the following line when creating /etc/apparmor.d/abstractions/ubuntu-browsers.d/$APPNAME (this will have to be conditionally added if this include file is shipped in apparmor):
#include <abstractions/ubuntu-browsers.d/nvidia

This will make it so that new installs will get the nvidia abstraction, but people can opt out of it using 'aa-update-browser'.

This issue is not restricted to FF4, as also noted above.

The issue is still present on Ubuntu 11.04 and Firefox 7.

With AppArmor loaded and enabled, with default settings, I cannot view WebGL demos.

WebGL is a very exciting new technology, and Ubuntu should do all in its power to help this technology become commonplace and naturally "it should just work" with defaults.

I don't think this should be a wishlist item. This is a bug because the default configuration breaks features that the average user would like to have, and the average user will not be able to fix the problem.

@Sami Mäkinen: Fully ACK. It seems that AppArmor doesn't have a high priority for Ubuntu developers. It's time to think about moving to, e.g., Tomoyo.

I think that people should step back and realize that WebGL does work in the default install of Ubuntu. The AppArmor profile is opt-in and there are instructions in this bug on how to adjust the policy for nvidia.

When developing policy, giving firefox access to a device such as a video card should not be done rashly. That said, we will probably do something like I said in comment #6 for 12.04.

In the meantime, to be perfectly clear on how to make this work, add to /etc/apparmor.d/local/usr.bin.firefox the following:
/dev/nvidactl rw,
/dev/nvidia0 rw,
/proc/interrupts r,

Then run:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...