All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

Screenshot

The thunderbird fallback notification bug is here, so this *might* be a dupe: https://bugs.launchpad.net/bugs/2056481

Status changed to 'Confirmed' because the bug affects multiple users.

the rejects here are all from the snap.element-desktop.element-desktop profile. We will need to dig into that profiles permissions. If its getting all the right paths correct then I suspect the peer_label match might be the issue.

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined"

This is provided by the system-observe interface in snapd - currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this.

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined"
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined"

These are provided by the password-manager-service interface in snapd - again currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this as well.

Finally, for the last two

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell"
> Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell"

Yes this is due to the peer_label mismatch - previously plasmashell would run without an AppArmor profile and so was "unconfined" - the most recent apparmor release in Noble contains a new profile for plasmashell in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now the peer_label doesn't match.

This likely needs to be fixed on the snapd side (or we figure out a way in apparmor to not ship this profile).

the plasmashell profile is necessary for it to work under unprivileged user namespace restrictions.

So I installed kubuntu-desktop on an up-to-date noble VM and then after logging into the kubuntu session I was able to reproduce the issue for Notifications but I couldn't see anything owning the /StatusNotifierItem dbus path.

For notifications I submitted https://github.com/snapcore/snapd/pull/13737 to snapd which should resolve that but if anyone can help me reproduce the issue for the status notifier item that would be great. FWIW I have attached a screenshot of d-feet showing the various dbus paths owned by plasmashell and /StatusNotifierItem is not listed. Am I perhaps missing some other package that doesn't get pulled in by the standard kubuntu-desktop metapackage?

I assume you didn't install Kubuntu Noble on a VM due to a Calamares bug who's fix isn't managing to migrate out of -proposed. There's a fairly easy workaround for that issue (`vim /lib/x86_64-linux-gnu/calamares/modules/networkcfg/main.py`, search for "0o" via `/0o` and then change the `f` to `f.fileno()`, save and quit with `:wq` and then everything works), so you might try that. (It might also work to just install Calamares from noble-proposed while on the live ISO, then install.)

You can probably compare your list of installed packages with the list of packages in the latest Kubuntu Noble ISO's manifest (https://cdimage.ubuntu.com/kubuntu/daily-live/pending/noble-desktop-amd64.manifest) to see what you're missing, but if you have an additional DE installed alongside, a component of it could be interfering with reproducing the bug.

Yes I hit that exact issue in Calamares but after fixing it I then hit another similar crash in a different script in calamares - will see if I can reproduce and provide you with details.

The subsequent error is:

Main script file /usr/lib/x86_64-linux-gnu/calamares/modules/automirror/main.py for python job automirror raised an exception.

Is there any way I can debug this further?

Ah although it seems I can reboot the VM at this point and whilst Calamares appeared to run again again in the rebooted vm if I choose Install Calamares closes and I see the installed kubuntu environment - weird....

Anyway I think I will be able to use this to debug the original issue further - will continue and let you know what I find.

Ok whilst I still can't see the /StatusNotifierItem object listed via d-feet I can reproduce the denials when launching element-desktop so I have added some additional changes to the aforementioned PR which resolve these as well. With all the changes from that PR in place all of these mentioned denials are resolved.

Confirming that with snapd from edge (revision 21508), both the notifications and apptray denials are resolved for me.

I can also confirm that telegram and slack show up correctly in the system tray after updating snapd to revision 21508.

I can confirm that refresh snapd to edge channel resolved for me too rev 21649

Confirmed, switching to snapd in edge fixed the issue.

snapd from beta channel fixed the issue for me.