Snap chromium - apparmor pulseAudio (and other) error messages (20.04)

Bug #1865282 reported by Richard Baka on 2020-02-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor Profiles
Undecided
Unassigned
snapd
High
Unassigned
snapd (Ubuntu)
High
Unassigned

Bug Description

My chromium browser what was installed by snap is constantly causing this system error message:

[ 3754.402424] audit: type=1400 audit(1582978393.441:96): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/pulse/client.conf.d/" pid=6082 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Comment: This is a fresh chromium installation and I've never manually modified the pulseaudio interface however my pulseaudio configuration is custom because of the bad default sound quality.

snap connections chromium
Interface Plug Slot Notes
audio-playback chromium:audio-playback :audio-playback -
audio-record chromium:audio-record - -
browser-support chromium:browser-sandbox :browser-support -
camera chromium:camera :camera -
content[gtk-3-themes] chromium:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] chromium:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] chromium:sound-themes gtk-common-themes:sound-themes -
cups-control chromium:cups-control :cups-control -
desktop chromium:desktop :desktop -
gsettings chromium:gsettings :gsettings -
home chromium:home :home manual
joystick chromium:joystick :joystick -
mount-observe chromium:mount-observe - -
mpris - chromium:mpris -
network chromium:network :network -
network-bind chromium:network-bind :network-bind -
network-manager chromium:network-manager - -
opengl chromium:opengl :opengl -
password-manager-service chromium:password-manager-service :password-manager-service manual
personal-files chromium:chromium-config - -
pulseaudio chromium:pulseaudio - -
raw-usb chromium:raw-usb - -
removable-media chromium:removable-media - -
screen-inhibit-control chromium:screen-inhibit-control :screen-inhibit-control -
u2f-devices chromium:u2f-devices :u2f-devices -
unity7 chromium:unity7 :unity7 -
upower-observe chromium:upower-observe :upower-observe -
x11 chromium:x11 :x11 -

Richard Baka (bakarichard91) wrote :
affects: linux (Ubuntu) → snapd (Ubuntu)
description: updated
Richard Baka (bakarichard91) wrote :

Messages I got after I had started browsing my computer to download the png attachment:

type=1400 audit(1582979599.967:146): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=2504 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=1400 audit(1582979590.211:134): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.node_repl_history" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:133): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.viminfo" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:132): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:131): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.gtkrc-2.0" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.dmrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:129): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.face" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:128): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bashrc" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:127): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.profile" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979590.211:125): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.bash_logout" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

type=1400 audit(1582979562.723:124): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/myname/.xsession-errors" pid=2504 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Richard Baka (bakarichard91) wrote :

*upload

Changed in snapd:
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Jalon Funk (francescohickle15) wrote :

IIRC for /etc/pulse/client.conf.d/ you need to connect pulseaudio interface

The spam of denials after you open file dialog is inevitable in snap, you may ignore it.

Jamie Strandboge (jdstrand) wrote :

pulseaudio is deprecated now in favor of audio-playback, but audio-playback has:

  /etc/pulse/* r,

and pulseaudio has:

  /etc/pulse/** r,

We need to adjust the audio-playback interface to have '**'. I'll be doing this in my next batch of policy updates (likely next week).

Richard Baka (bakarichard91) wrote :

Jalon Funk (francescohickle15) that is a correct temporary workaround.

Jamie Strandboge (jdstrand) thanks for your help. BTW please check the other error messages in my first comment too. Those are displayed if the file browsing dialog is opened from the web-browser (fe.: by a file upload).

summary: - Snap chromium - apparmor pulseAudio error message (20.04)
+ Snap chromium - apparmor pulseAudio (and other) error messages (20.04)
Jalon Funk (francescohickle15) wrote :

As I said file dialog denials are unsolvable unless snap adopts xdg-desktop-portal but afaik chromium doesn't support it anyway. When you open file dialog it will iterate over files in current dir and most of them shouldn't be allowed but they also can't be explicitly denied.

Richard Baka (bakarichard91) wrote :

Jalon Funk (francescohickle15) sorry I haven't read well your second sentence. I understand it now.

Changed in snapd:
assignee: Jamie Strandboge (jdstrand) → nobody
status: Triaged → Fix Committed
Changed in apparmor-profiles:
status: New → Invalid
Changed in snapd:
importance: Undecided → High
Changed in snapd (Ubuntu):
status: New → Triaged
status: Triaged → In Progress
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers