application can't open a window without network-manager connection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
I'm maintaining the snap package for some weeks now and I encountered a very weird aspect of snaps:
The application "manuskript" can be installed normally via snapcraft as snap and it can be launched but its window (using Python and Qt5) does not appear. However if you manually give the snap the permission to use the "network-manager" connection, the window appears during start as expected but it simply does not work without it... at least as long as I use Ubuntu 20.04 LTS or 21.04.
I've not tried other Ubuntu derivates but it is very weird since this behavior does not exist on Manjaro KDE even though I thought snaps should perform best on Ubuntu? ^^'
I double-checked by the way that Manjaro does not just open the connection "network-manager" automatically during installation or something. The snap just does not need it, like it should be.
Another thing about this, why I'm saying "a very weird aspect of snaps": It does appear in other snap applications using Qt5 as well. For example in the Qt version of GNU Jami. That's how I encountered the work-around with enabling the "network-manager" connection: https:/
So maybe someone can help with this because I don't like recommending users to set a permission which needs them signing in extra. Also the application really shouldn't get a permission it does not need to have anyway.
Maybe it's not even an issue with snapd but I don't know what could be the cause otherwise. So send me a link to track the solution for this issue please, if you have any more information.
Thanks.
Hi Tobias, thank you for getting in touch! I just tried installing the manuskript snap, and verified that indeed it does not start. After a few seconds it prints this line:
Qt: Session management error: Could not open network socket
I'm not sure where this error comes from; I suspected that it could be coming from the QSessionManager class, but a quick grep in manuskript source code did not find anything (though maybe it's being used by some of manuskript's dependencies?).
A useful tool to debug such cases is `snappy-debug`: you just start it with the -f flag, and then start the application you want to debug:
snappy-debug -f
This will start monitoring the system log for error messages, and print out some information that might be useful to fix the issue. In our case, it prints:
=================== "/snap/ core/11993/ usr/lib/ snapd/snap- confine" pid=16204 comm="snap-confine" capability=4 capname="fsetid"
= AppArmor =
Time: Dec 14 09:50:27
Log: apparmor="DENIED" operation="capable" profile=
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly
= AppArmor = "snap.manuskrip t.manuskript" name="/ proc/16204/ mounts" pid=16204 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 /@{pid} /mounts'
Time: Dec 14 09:50:56
Log: apparmor="DENIED" operation="open" profile=
File: /proc/16204/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}
* add one of 'mount-observe, network-control' to 'plugs'
= Seccomp = manuskript/ 467/usr/ bin/python3. 6" sig=0 arch=c000003e 41(socket) compat=0 ip=0x7efe6992dd57 code=0x50000 KOBJECT_ UEVENT) {FIREWALL, IP6_FW, NETFILTER, NF_LOG, ROUTE}) {GENERIC, KOBJECT_ UEVENT} ) BRIDGE, INET,INET6, IPX,PACKET, PPPOX,SNA} , NETLINK_ {DNRTMSG, FIB_LOOKUP, GENERIC, INET_DIAG, ISCSI,KOBJECT_ UEVENT, RDMA,ROUTE, XFRM}) {GENERIC, INET_DIAG, KOBJECT_ UEVENT, ROUTE}) KOBJECT_ UEVENT) KOBJECT_ UEVENT) KOBJECT_ UEVENT) KOBJECT_ UEVENT)
Time: Dec 14 09:50:58
Log: auid=1000 uid=1000 gid=1000 ses=3 pid=16204 comm="python3" exe="/snap/
Syscall: socket
Suggestions:
* add account-control (if using NETLINK_AUDIT)
* add audio-playback (if using NETLINK_
* add bluetooth-control (if using AF_{ALG,BLUETOOTH})
* add firewall-control (if using NETLINK_
* add hardware-observe (if using NETLINK_
* add netlink-audit (if using NETLINK_AUDIT)
* add netlink-connector (if using NETLINK_CONNECTOR)
* add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
* add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
* add network-control (if using AF_{APPLETALK,
* add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_
* add raw-usb (if using NETLINK_
* add time-control (if using NETLINK_AUDIT)
* add unity7 (if using NETLINK_
* add upower-observe (if using NETLINK_
* add x11 (if using NETLINK_
= AppArmor = "dbus_method_ call" bus="system" path="/ org/freedesktop /NetworkManager " interface= "org.freedeskto p.DBus. Properties" member="GetAll" mask="send" name="org. freedesktop. NetworkManager" pid=16204 label=" snap.manuskript .manuskript" peer_pid=3317 peer_label= "unconfin. ..
Time: Dec 14 09:50:58
Log: apparmor="DENIED" operation=