Ubuntu
snapd package

Snap chromium - apparmor pulseAudio (and other) error messages (20.04)

Bug #1865282 reported by Richard Baka on 2020-02-29

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor Profiles	Invalid	Undecided	Unassigned
	snapd	Fix Released	High	Unassigned	snapd 2.44
	snapd (Ubuntu)	Fix Released	High	Unassigned

Bug Description

My chromium browser what was installed by snap is constantly causing this system error message:

[ 3754.402424] audit: type=1400 audit(1582978393.441:96): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/pulse/client.conf.d/" pid=6082 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Comment: This is a fresh chromium installation and I've never manually modified the pulseaudio interface however my pulseaudio configuration is custom because of the bad default sound quality.

snap connections chromium
Interface Plug Slot Notes
audio-playback chromium:audio-playback :audio-playback -
audio-record chromium:audio-record - -
browser-support chromium:browser-sandbox :browser-support -
camera chromium:camera :camera -
content[gtk-3-themes] chromium:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] chromium:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] chromium:sound-themes gtk-common-themes:sound-themes -
cups-control chromium:cups-control :cups-control -
desktop chromium:desktop :desktop -
gsettings chromium:gsettings :gsettings -
home chromium:home :home manual
joystick chromium:joystick :joystick -
mount-observe chromium:mount-observe - -
mpris - chromium:mpris -
network chromium:network :network -
network-bind chromium:network-bind :network-bind -
network-manager chromium:network-manager - -
opengl chromium:opengl :opengl -
password-manager-service chromium:password-manager-service :password-manager-service manual
personal-files chromium:chromium-config - -
pulseaudio chromium:pulseaudio - -
raw-usb chromium:raw-usb - -
removable-media chromium:removable-media - -
screen-inhibit-control chromium:screen-inhibit-control :screen-inhibit-control -
u2f-devices chromium:u2f-devices :u2f-devices -
unity7 chromium:unity7 :unity7 -
upower-observe chromium:upower-observe :upower-observe -
x11 chromium:x11 :x11 -

See original description

Revision history for this message

Richard Baka (bakarichard91) wrote on 2020-02-29:

#1

apparmor_interfaces.png Edit (165.4 KiB, image/png)

affects:	linux (Ubuntu) → snapd (Ubuntu)
description:	updated

Revision history for this message

Richard Baka (bakarichard91) wrote on 2020-02-29:

#2

Messages I got after I had started browsing my computer to download the png attachment:

type=1400 audit(1582979599.967:146): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=2504 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=1400 audit(1582979590.211:134): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.node_repl_history" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:133): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.viminfo" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:132): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:131): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.gtkrc-2.0" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.dmrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:129): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.face" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:128): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bashrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:127): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.profile" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:125): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bash_logout" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979562.723:124): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Messages I got after I had started browsing my computer to download the png attachment:

type=1400 audit(1582979599.967:146): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=2504 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=1400 audit(1582979590.211:134): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.node_repl_history" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:133): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.viminfo" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:132): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:131): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.gtkrc-2.0" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.dmrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:129): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.face" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:128): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bashrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:127): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.profile" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:125): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bash_logout" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979562.723:124): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Revision history for this message

Richard Baka (bakarichard91) wrote on 2020-02-29:

#3

*upload

Jamie Strandboge (jdstrand) on 2020-02-29

Changed in snapd:
status:	New → Triaged
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jalon Funk (francescohickle15) wrote on 2020-02-29:

#4

IIRC for /etc/pulse/client.conf.d/ you need to connect pulseaudio interface

The spam of denials after you open file dialog is inevitable in snap, you may ignore it.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-02-29:

#5

pulseaudio is deprecated now in favor of audio-playback, but audio-playback has:

/etc/pulse/* r,

and pulseaudio has:

/etc/pulse/** r,

We need to adjust the audio-playback interface to have '**'. I'll be doing this in my next batch of policy updates (likely next week).

Revision history for this message

Richard Baka (bakarichard91) wrote on 2020-02-29:

#6

Jalon Funk (francescohickle15) that is a correct temporary workaround.

Jamie Strandboge (jdstrand) thanks for your help. BTW please check the other error messages in my first comment too. Those are displayed if the file browsing dialog is opened from the web-browser (fe.: by a file upload).

summary:

- Snap chromium - apparmor pulseAudio error message (20.04)
+ Snap chromium - apparmor pulseAudio (and other) error messages (20.04)

Revision history for this message

Jalon Funk (francescohickle15) wrote on 2020-03-01:

#7

As I said file dialog denials are unsolvable unless snap adopts xdg-desktop-portal but afaik chromium doesn't support it anyway. When you open file dialog it will iterate over files in current dir and most of them shouldn't be allowed but they also can't be explicitly denied.

Revision history for this message

Richard Baka (bakarichard91) wrote on 2020-03-01:

#8

Jalon Funk (francescohickle15) sorry I haven't read well your second sentence. I understand it now.

Jamie Strandboge (jdstrand) on 2020-03-09

Changed in snapd:
assignee:	Jamie Strandboge (jdstrand) → nobody
status:	Triaged → Fix Committed
Changed in apparmor-profiles:
status:	New → Invalid

Samuele Pedroni (pedronis) on 2020-03-16

Changed in snapd:
importance:	Undecided → High
Changed in snapd (Ubuntu):
status:	New → Triaged
status:	Triaged → In Progress
importance:	Undecided → High

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-06-23:

#9

I didn't pinpoint the exact release but it seems to have been released to stable sometime in snapd 2.44.*. Marking as released.

Changed in snapd:
status:	Fix Committed → Fix Released
milestone:	none → 2.44

Maciej Borzecki (maciek-borzecki) on 2020-10-01

Changed in snapd (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

apparmor_interfaces.png Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.