Ubuntu
snapd package

application can't open a window without network-manager connection

Bug #1954711 reported by Tobias Frisch on 2021-12-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd (Ubuntu)	Incomplete	Undecided	Unassigned

Bug Description

I'm maintaining the snap package for some weeks now and I encountered a very weird aspect of snaps:

The application "manuskript" can be installed normally via snapcraft as snap and it can be launched but its window (using Python and Qt5) does not appear. However if you manually give the snap the permission to use the "network-manager" connection, the window appears during start as expected but it simply does not work without it... at least as long as I use Ubuntu 20.04 LTS or 21.04.

I've not tried other Ubuntu derivates but it is very weird since this behavior does not exist on Manjaro KDE even though I thought snaps should perform best on Ubuntu? ^^'

I double-checked by the way that Manjaro does not just open the connection "network-manager" automatically during installation or something. The snap just does not need it, like it should be.

Another thing about this, why I'm saying "a very weird aspect of snaps": It does appear in other snap applications using Qt5 as well. For example in the Qt version of GNU Jami. That's how I encountered the work-around with enabling the "network-manager" connection: https://forum.snapcraft.io/t/request-for-auto-connection-of-jami-network-manager/22833/17

So maybe someone can help with this because I don't like recommending users to set a permission which needs them signing in extra. Also the application really shouldn't get a permission it does not need to have anyway.

Maybe it's not even an issue with snapd but I don't know what could be the cause otherwise. So send me a link to track the solution for this issue please, if you have any more information.
Thanks.

Revision history for this message

Alberto Mardegan (mardy) wrote on 2021-12-14:

Download full text (4.2 KiB)

Hi Tobias, thank you for getting in touch! I just tried installing the manuskript snap, and verified that indeed it does not start. After a few seconds it prints this line:

Qt: Session management error: Could not open network socket

I'm not sure where this error comes from; I suspected that it could be coming from the QSessionManager class, but a quick grep in manuskript source code did not find anything (though maybe it's being used by some of manuskript's dependencies?).

A useful tool to debug such cases is `snappy-debug`: you just start it with the -f flag, and then start the application you want to debug:

snappy-debug -f

This will start monitoring the system log for error messages, and print out some information that might be useful to fix the issue. In our case, it prints:

===================
= AppArmor =
Time: Dec 14 09:50:27
Log: apparmor="DENIED" operation="capable" profile="/snap/core/11993/usr/lib/snapd/snap-confine" pid=16204 comm="snap-confine" capability=4 capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Dec 14 09:50:56
Log: apparmor="DENIED" operation="open" profile="snap.manuskript.manuskript" name="/proc/16204/mounts" pid=16204 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/16204/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-observe, network-control' to 'plugs'

= Seccomp =
Time: Dec 14 09:50:58
Log: auid=1000 uid=1000 gid=1000 ses=3 pid=16204 comm="python3" exe="/snap/manuskript/467/usr/bin/python3.6" sig=0 arch=c000003e 41(socket) compat=0 ip=0x7efe6992dd57 code=0x50000
Syscall: socket
Suggestions:
* add account-control (if using NETLINK_AUDIT)
* add audio-playback (if using NETLINK_KOBJECT_UEVENT)
* add bluetooth-control (if using AF_{ALG,BLUETOOTH})
* add firewall-control (if using NETLINK_{FIREWALL,IP6_FW,NETFILTER,NF_LOG,ROUTE})
* add hardware-observe (if using NETLINK_{GENERIC,KOBJECT_UEVENT})
* add netlink-audit (if using NETLINK_AUDIT)
* add netlink-connector (if using NETLINK_CONNECTOR)
* add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
* add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
* add network-control (if using AF_{APPLETALK,BRIDGE,INET,INET6,IPX,PACKET,PPPOX,SNA}, NETLINK_{DNRTMSG,FIB_LOOKUP,GENERIC,INET_DIAG,ISCSI,KOBJECT_UEVENT,RDMA,ROUTE,XFRM})
* add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_{GENERIC,INET_DIAG,KOBJECT_UEVENT,ROUTE})
* add raw-usb (if using NETLINK_KOBJECT_UEVENT)
* add time-control (if using NETLINK_AUDIT)
* add unity7 (if using NETLINK_KOBJECT_UEVENT)
* add upower-observe (if using NETLINK_KOBJECT_UEVENT)
* add x11 (if using NETLINK_KOBJECT_UEVENT)

= AppArmor =
Time: Dec 14 09:50:58
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=16204 label="snap.manuskript.manuskript" peer_pid=3317 peer_label="unconfin...

Hi Tobias, thank you for getting in touch! I just tried installing the manuskript snap, and verified that indeed it does not start. After a few seconds it prints this line:

Qt: Session management error: Could not open network socket

A useful tool to debug such cases is `snappy-debug`: you just start it with the -f flag, and then start the application you want to debug:

snappy-debug -f

This will start monitoring the system log for error messages, and print out some information that might be useful to fix the issue. In our case, it prints:

===================
= AppArmor =
Time: Dec 14 09:50:27
Log: apparmor="DENIED" operation="capable" profile="/snap/core/11993/usr/lib/snapd/snap-confine" pid=16204 comm="snap-confine" capability=4  capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Dec 14 09:50:58
Log: apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=16204 label="snap.manuskript.manuskript" peer_pid=3317 peer_label="unconfined"
DBus access
Suggestion:
* try adding one of 'network-manager, network-manager-observe' to 'plugs'
===================

There are a few things we can do at this point. The first one, in my opinion, is to figure out where in manuskript code these operations are triggered, and understand what they are used for, and whether they are really needed (maybe there are other ways to accomplish the same task).

Once we have decided that all these operations are necessary, we need to find out which of the denials above is actually preventing the application from working: it's very well possible that not all of the denials are fatal, and maybe we just need to fix one of them. The instructions given by Ian in the forum thread you linked to (https://forum.snapcraft.io/t/request-for-auto-connection-of-jami-network-manager/22833/17) can be adapted here too.

Please let me know if you manage to find out what exactly is blocking manuskript, and then we can discuss on how to proceed.

Also related:
- https://github.com/olivierkes/manuskript/issues/678
- https://github.com/olivierkes/manuskript/issues/900

Changed in snapd (Ubuntu):
status:	New → Incomplete

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-olivierkes-manuskript #678
[open help wanted] Edit
auto-github-olivierkes-manuskript #900
[closed] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntusnapd package

application can't open a window without network-manager connection

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
snapd package