As of yesterday, launching gui-enabled snaps reliably triggers apparmor denials communicating with nvidia drivers.
$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
Codename: focal
$ snap version
snap 2.43.2
snapd 2.43.2
series 16
ubuntu 20.04
kernel 5.4.0-12-generic
The denials look like the following:
Feb 11 02:27:47 utumno audit[855860]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" pid=855860 comm="simplenote" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 02:27:47 utumno audit[855860]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" name="/run/nvidia-xdriver-f8177d9f" pid=855860 comm="simplenote" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 02:27:47 utumno kernel: audit: type=1400 audit(1581406067.880:2542): apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" pid=855860 comm="simplenote" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 02:27:47 utumno kernel: audit: type=1400 audit(1581406067.880:2543): apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" name="/run/nvidia-xdriver-f8177d9f" pid=855860 comm="simplenote" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 10 19:31:58 utumno audit[484729]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=484729 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 10 19:31:58 utumno audit[484729]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=484729 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 10 19:31:58 utumno kernel: audit: type=1400 audit(1581381118.124:340): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=484729 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 10 19:31:58 utumno kernel: audit: type=1400 audit(1581381118.124:341): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=484729 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:08:13 utumno audit[1447768]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1447768 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:08:13 utumno kernel: audit: type=1400 audit(1581444493.290:9448): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1447768 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:08:13 utumno kernel: audit: type=1400 audit(1581444493.290:9449): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1447768 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:08:13 utumno audit[1447768]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1447768 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:59:41 utumno audit[1505247]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1505247 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:59:41 utumno audit[1505247]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1505247 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:59:41 utumno kernel: audit: type=1400 audit(1581447581.792:10272): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1505247 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:59:41 utumno kernel: audit: type=1400 audit(1581447581.792:10273): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1505247 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
It looks like we need to adjust the policy to allow:
/run/nvidia- xdriver- * rw, "@var/run/ nvidia- xdriver- *),
unix (send, receive) type=dgram peer=(addr=
I'm not sure if more is needed for the updated drivers.