Accidentally replied rather than replying all. On Fri, Oct 27, 2017 at 10:30 AM, Jason Wittlin-Cohen < jwittlinco...@gmail.com> wrote:
> Thanks for the quick reply! > > Adding #include <abstractions/nvidia> to /etc/apparmor.d/local/usr.bin.totem > fixed the issue. I am now able to open Totem and play videos. I still see > some apparmor DENY messages in the logs, but they seem unrelated. > > > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2948): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2949): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2950): > apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" > name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c" > denied_mask="c" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2951): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2952): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2953): > apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" > name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c" > denied_mask="c" fsuid=1000 ouid=1000 > Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.447:2954): > apparmor="DENIED" operation="exec" profile="/usr/bin/totem" > name="/bin/dash" pid=6778 comm="totem" requested_mask="x" denied_mask="x" > fsuid=1000 ouid=0 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2956): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2957): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2958): > apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" > name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c" > denied_mask="c" fsuid=1000 ouid=1000 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2959): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2960): > apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem" > name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m" > denied_mask="m" fsuid=1000 ouid=1000 > Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2961): > apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem" > name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c" > denied_mask="c" fsuid=1000 ou > > ------------ > > As an aside, I think I am hitting a similar issue when attempting to add > apparmor integration to the google-chrome profile in Firejail (firejail > ships with its own apparmor profile which allows for additional hardening > that is not possible when running firejail alone). When I enable apparmor > integration in the Chrome profile, GPU rendering and acceleration are > disabled resulting in horrid tearing. I see this message in the logs: > > Oct 27 10:06:45 kernel: audit: type=1400 audit(1509113205.516:2856): > apparmor="DENIED" operation="open" profile="firejail-default" > name="/proc/modules" pid=1417 comm="nvidia-modprobe" requested_mask="r" > denied_mask="r" fsuid=1000 ouid=0 > > I tried adding #include <abstractions/nvidia> to > /etc/apparmor.d/local/firejail-local > but then firejail_parser complains "Found reference to variable HOME, but > is never declared." > I reported the issue here if you are curious: https://github.com/ > netblue30/firejail/issues/1615. > > > On Fri, Oct 27, 2017 at 4:01 AM, intrigeri <intrig...@debian.org> wrote: > >> Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when >> AppArmor profile is enforced >> Control: tag -1 + moreinfo >> >> Hi Jason! >> >> Jason Wittlin-Cohen: >> > Totem suffers a segmentation fault upon startup when its respective >> apparmor >> > profile is set to enforce mode. It starts fine when the apparmor >> profile is >> > set to complain mode. I have not modified the >> /etc/apparmor.d/usr.bin.totem >> > profile. >> >> > […] >> > Oct 27 00:00:22 debian-testing kernel: [139101.193078] audit: type=1400 >> > audit(1509076822.746:1331): apparmor="DENIED" operation="open" >> > profile="/usr/bin/totem" name="/proc/modules" pid=29696 comm="totem" >> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 >> > Oct 27 00:00:22 debian-testing kernel: [139101.194061] audit: type=1400 >> > audit(1509076822.747:1332): apparmor="DENIED" operation="exec" >> > profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=29699 >> > comm="totem" >> > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 >> >> Thanks for reporting this. This seems to be specific to using the >> NVIDIA proprietary drivers. Unfortunately I have no NVIDIA hardware >> available so I'll need help from you to fix this. This may require >> more than one "please test this and report back" iteration. >> >> Could you please try adding to /etc/apparmor.d/local/usr.bin.totem >> >> #include <abstractions/nvidia> >> >> … then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem" >> and retry. >> >> If that's not enough, also add: >> >> /usr/bin/nvidia-modprobe Pix, >> >> … then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem" >> and retry. >> >> If both fail, I will need the corresponding AppArmor logs that you can >> gather with: >> >> sudo journalctl -ka --no-hostname | grep -w 'apparmor="DENIED"' >> >> Or, if systemd-journald is not running: >> >> sudo grep -w 'apparmor="DENIED"' \ >> /var/log/auditd/auditd.log \ >> /var/log/syslog >> >> This could also be worth a try: >> >> /usr/bin/nvidia-modprobe PUx, >> >> (it's not good enough to be applied as-in in Debian but at least it >> may help us diagnose the problem :) >> >> Thanks in advance! >> > >
