Ubuntu
chromium-browser package

[snap] chromium snap does not allow to read symlinks to /usr/share/javascript

Bug #2032992 reported by Vladimir Petko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
Unknown
chromium-browser (Ubuntu)
Fix Released
Undecided
Nathan Teodosio
firefox (Ubuntu)
Fix Released
Undecided
Nathan Teodosio

Bug Description

Steps to reproduce:

1) Install chromium snap
snap install chromium
2) Install openjdk-21 documentation
sudo apt install openjdk-21-doc
3) Browse API documentation
chromium /usr/share/doc/openjdk-21-doc/api/index.html

The search bar is inactive and dev console contains:
jquery-3.6.1.min.js:1 Failed to load resource: net::ERR_FILE_NOT_FOUND

$ls -l /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
lrwxrwxrwx 1 root root 43 Mar 17 13:31 /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js -> ../../../../javascript/jquery/jquery.min.js

cat /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
prints the file contents

Downloaded version of chrome opens documentation with active search bar and no javascript errors
/tmp/chrome/chrome /usr/share/doc/openjdk-21-doc/api/index.html

Expected results:

Chromium snap should be able to follow symlink into /usr/share/javascript and correctly load OpenJDK API documentation.

Note: this probably should be a specific exclusion for Debian-based systems.

Tags: snap
Revision history for this message
In , Vladimir Petko (vpa1977) wrote :

Created attachment 9350104
firefox-snap-info.txt

Steps to reproduce:

1. Install firefox snap 116.0.3-2
snap install firefox
2. Install openjdk-21 documentation
sudo apt install openjdk-21-doc
3. Browse API documentation
firefox /usr/share/doc/openjdk-21-doc/api/index.html

Actual results:

The search bar is inactive
Console contains
Loading failed for the <script> with source “file:///usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js”.

$ls -l /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
lrwxrwxrwx 1 root root 43 Mar 17 13:31 /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js -> ../../../../javascript/jquery/jquery.min.js

cat /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
prints the file contents

Downloaded version of firefox opens documentation with active search bar and no javascript errors
/tmp/firefox/firefox /usr/share/doc/openjdk-21-doc/api/index.html

Expected results:

Firefox snap should be able to follow symlink and correctly load OpenJDK API documentation.

Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Hi Vladimir, thanks for the bug report.

In Ubuntu, Chromium is provided a snap. The snap confinement prevents the program from accessing system files under /usr/share, /usr/share/doc being an exception when the system-package-doc interface[1] is connected (which is the default).

Although the symlink is under /usr/share/doc, it points to a non-whitelisted location under /usr/share, and thus Chromium cannot load it.

I'm sorry for the inconvenience this generates in this case, but that limitation is inherent to the model.

[1] https://snapcraft.io/docs/the-system-package-doc-interface

Changed in chromium-browser (Ubuntu):
status: New → Won't Fix
Revision history for this message
Vladimir Petko (vpa1977) wrote :

I beg to reconsider this decision since due to the Debian policy[1] the documentation packages install related javascript libraries (namely JQuery) into /usr/share/javascript.

Limiting snap access to /usr/share/doc only results in broken documentation for our users.

[1] https://wiki.debian.org/Javascript/Policy

Revision history for this message
Nathan Teodosio (nteodosio) wrote :

I see, openjdk-21-doc depends on libjs-jquery.

I think it is unlikely that they would allow this, but one could raise the issue in forum.snapcraft.io.

Changed in firefox (Ubuntu):
status: New → Won't Fix
tags: added: snap
Revision history for this message
Nathan Teodosio (nteodosio) wrote (last edit ):

Opened a query with Snapd folks on https://forum.snapcraft.io/t/documentation-packages-attempt-to-access-usr-share-javascript-but-fail/36516. Feel free to chime in.

Revision history for this message
In , Snegritas (snegritas) wrote :

Hello! I have tried to reproduce the issue with firefox 118.0a1(2023-08-25) on Ubuntu 22.04, unfortunately I wasn't able to reproduce the issue on my end. Could you please answer the following questions in order to further investigate this issue.

1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
3. Do you have any addons installed? If yes could you please list them?

Revision history for this message
In , Vladimir Petko (vpa1977) wrote :

Hi,

Latest version of firefox downloaded from the site works fine.

This bug relates to the snap version of firefox that does not have sufficient permissions to follow symlinks.
Please install firefox via `snap install firefox` (see steps to reproduce).

Best Regards,
 Vladimir.

Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
status: Won't Fix → Triaged
Changed in firefox (Ubuntu):
status: Won't Fix → Triaged
assignee: nobody → Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Nathan Teodosio (nteodosio)
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

I proposed https://github.com/snapcore/snapd/pull/13130.

Changed in chromium-browser (Ubuntu):
status: Triaged → In Progress
Changed in firefox (Ubuntu):
status: Triaged → In Progress
Revision history for this message
In , Release-mgmt-account-bot (release-mgmt-account-bot) wrote :

The [Bugbug](https://github.com/mozilla/bugbug/) bot thinks this bug should belong to the 'Firefox Build System::Third Party Packaging' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Revision history for this message
In , Snegritas (snegritas) wrote :

Hello Vladimir! I have installed firefox with snap install but on the second step I can't install the program. Could you please provide a video or a screen shot with the issue?

Thank you!

Revision history for this message
In , Vladimir Petko (vpa1977) wrote :

Created attachment 9355158
test.png

Revision history for this message
In , Vladimir Petko (vpa1977) wrote :

Please use `sudo apt install openjdk-17-doc` as the second step (see screenshot).

Revision history for this message
In , Release-mgmt-account-bot (release-mgmt-account-bot) wrote :

The severity field is not set for this bug.
:gerard-majax, could you have a look please?

For more information, please visit [BugBot documentation](https://wiki.mozilla.org/BugBot#workflow.2Fno_severity.py).

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

Vladimir, please refer to your colleagues.

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

This is just another case of directory being blocked by snap sandbox

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

Looks like this is another case https://bugzilla.mozilla.org/show_bug.cgi?id=1768303#c12

Revision history for this message
In , Sebastien Bacher (seb128) wrote :

Right, it seems another case of directory not available from within the sandbox, we should perhaps consider allowing read access to /usr/share/doc

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

*** This bug has been marked as a duplicate of bug 1768303 ***

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

(In reply to seb128 from comment #11)
> Right, it seems another case of directory not available from within the sandbox, we should perhaps consider allowing read access to /usr/share/doc

`/usr/share/doc` is already allowed: https://github.com/snapcore/snapd/blob/4dba256bd08383a966d414a75e8ffbd5e172b355/interfaces/builtin/system_packages_doc.go#L88-L92

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

Ok, the problem is that the symlink is outside what is allowed:
```
$ alex@portable-alex:~$ realpath /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
/usr/share/javascript/jquery/jquery.min.js
```
I'm not really sure what we can do there ...

Revision history for this message
In , Sebastien Bacher (seb128) wrote :

There isn't really a solution there until snapd or portal provide a framework to be able to access the content of random directories outide of the confinement space...

Revision history for this message
In , Nathan Teodosio (nteodosio) wrote :

There is a merge request for allowing /usr/share/javascript/jquery/, https://github.com/snapcore/snapd/pull/13130.

Nathan Teodosio (nteodosio)
no longer affects: chromium-browser
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Confirmed
Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

(In reply to Nathan Teodosio :nteodosio from comment #16)
> There is a merge request for allowing /usr/share/javascript/jquery/, https://github.com/snapcore/snapd/pull/13130.

it should now be merged soon

Revision history for this message
In , Lissyx+mozillians (lissyx+mozillians) wrote :

Merged and will get fixed when snapd 2.62 gets released: https://github.com/snapcore/snapd/pull/13130

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Confirmed → Fix Released
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

The fix is in Snapd beta and should be in stable in the next month or so.

Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Released
Changed in firefox (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Ernest Lotter (ernestl) wrote :

Test feedback on snapd 2.62 beta would be appreciated.

Revision history for this message
Vladimir Petko (vpa1977) wrote :
Download full text (3.9 KiB)

I have tested the updated snapd in a Noble VM.

I have installed:

firefox latest/stable:
installed: 124.0.1-1 (4033) 281MB -
chromium latest/stable:
installed: 123.0.6312.86 (2805) 168MB -

openjdk-21-doc/noble,noble,now 21.0.3~7ea-1 all [installed]
snapd/noble-proposed,now 2.62+24.04build1 amd64 [installed]

I have opened openjdk documentation with
----
$firefox /usr/share/doc/openjdk-21-doc/index.html
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/local/share/doc /usr/local/share/doc none bind,ro 0 0): cannot open directory "/usr/local/share": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/javascript/sphinxdoc /usr/share/javascript/sphinxdoc none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme /usr/share/sphinx_rtd_theme none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
----
The snap output some errors, but the documentation opened correctly and the search bar was active.

chromium:
--
$ chromium /usr/share/doc/openjdk-21-doc/index.html
Gtk-Message: 10:59:34.732: Not loading module "atk-bridge": The functionality is provided by GTK natively. Please try to not load it.

(chrome:5433): Gtk-WARNING **: 10:59:34.780: GTK+ module /snap/chromium/2805/gnome-platform/usr/lib/gtk-2.0/modules/libcanberra-gtk-module.so cannot be loaded.
GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported.
Gtk-Message: 10:59:34.780: Failed to load module "canberra-gtk-module"

(chrome:5433): Gtk-WARNING **: 10:59:34.782: GTK+ module /snap/chromium/2805/gnome-platform/usr/lib/gtk-2.0/modules/libcanberra-gtk-module.so cannot be loaded.
GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported.
Gtk-Message: 10:59:34.782: Failed to load module "canberra-gtk-module"
[5433:5433:0402/105934.824524:ERROR:policy_logger.cc(157)] :components/enterprise/browser/controller/chrome_browser_cloud_management_controller.cc(161) Cloud management controller initialization aborted as CBCM is not enabled. Please use the `--enable-chrome-browser-cloud-management` command line flag to enable it if you are not using the official Google Chrome build.
libva error: /snap/chromium/2805/gnome-platform/usr/lib/x86_64-linux-gnu/dri/virtio_gpu_drv_video.so init failed
[5630:5630:0402/105934.916687:ERROR:viz_main_impl.cc(196)] Exiting GPU process due to errors during initialization
[5433:5433:0402/105935.190773:ERROR:object_proxy.cc(576)] Failed to call method: org.freedesktop.ScreenSaver.Get...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.