Ubuntu
snapd package

[snap] chromium generates a lot of Apparmor noise

Bug #1828275 reported by Simon Déziel
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Running Chromium's snap result in a lot of Apparmor noise like this:

audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=0 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/b230:0" pid=0 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

The above and the attached log was collected with:

journalctl -o cat -k | grep -F ' apparmor="DENIED" ' | grep -F snap.chromium.chromium | sed 's/ audit([0-9.:]\+): / audit(0): /; s/ pid=[0-9]\+ / pid=0 /' | sort

Additional information:

$ snap info chromium
name: chromium
summary: Chromium web browser, open-source version of Chrome
publisher: Canonical✓
contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap
license: unset
description: |
  An open-source browser project that aims to build a safer, faster, and more stable way for all
  Internet users to experience the web.
commands:
  - chromium.chromedriver
  - chromium
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: edge
refresh-date: 11 days ago, at 12:08 EDT
channels:
  stable: 74.0.3729.131 2019-05-02 (705) 162MB -
  candidate: 74.0.3729.131 2019-05-01 (705) 162MB -
  beta: 74.0.3729.61 2019-04-06 (688) 162MB -
  edge: 75.0.3770.9 2019-04-27 (703) 163MB -
installed: 75.0.3770.9 (703) 163MB -

$ snap interfaces chromium
Slot Plug
:browser-support chromium:browser-sandbox
:camera chromium
:desktop chromium
:gsettings chromium
:home chromium
:network chromium
:network-bind chromium
:opengl chromium
:personal-files chromium:chromium-config
:pulseaudio chromium
:screen-inhibit-control chromium
:u2f-devices chromium
:unity7 chromium
:upower-observe chromium
:x11 chromium
gtk-common-themes:gtk-3-themes chromium
gtk-common-themes:icon-themes chromium
gtk-common-themes:sound-themes chromium
- chromium:cups-control
- chromium:mount-observe
- chromium:network-manager
- chromium:password-manager-service
- chromium:removable-media

$ apt-cache policy snapd
snapd:
  Installed: 2.38+18.04
  Candidate: 2.38+18.04
  Version table:
 *** 2.38+18.04 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.37.4+18.04.1 500
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2.32.5+18.04 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

$ lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04

Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

You can 'sudo snap connect chromium:mount-observe' for /etc/fstab. /run/mount/utab is more complicated and you can read about it here: https://forum.snapcraft.io/t/namespace-awareness-of-run-mount-utab-and-libmount/5987

For the /run/udev/data accesses, can you paste the output of:

$ cat /run/udev/data/b230\:*

affects: chromium-browser (Ubuntu) → snapd (Ubuntu)
Changed in snapd (Ubuntu):
status: New → Incomplete
Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks! FYI, for the udev accesses: https://github.com/snapcore/snapd/pull/7019

Changed in snapd (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Simon Déziel (sdeziel) wrote :

Marking as fix-released as this went in snapd 2.40 according to https://github.com/snapcore/snapd/commit/1832205560164f725d7400ba0c09b40aa1ba365f

Thanks!

Changed in snapd (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
dan the person (dantheperson) wrote :

still happens to me ubuntu 20.04 snapd 2.44+20.04

Revision history for this message
dan the person (dantheperson) wrote :

e.g.
110737.448098] audit: type=1400 audit(1585797347.453:11057): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F64616E69656C2F736E61702F6368726F6D69756D2F313035362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=42006 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000

Revision history for this message
Hassan El Jacifi (waver) wrote :

Bug still present.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.10
Release: 19.10
Codename: eoan

$ snap info chromium
name: chromium
summary: Chromium web browser, open-source version of Chrome
publisher: Canonical✓
store-url: https://snapcraft.io/chromium
contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap
license: unset
description: |
  An open-source browser project that aims to build a safer, faster, and more stable way for all
  Internet users to experience the web.
commands:
  - chromium.chromedriver
  - chromium
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: latest/stable
refresh-date: today at 04:17 CEST
channels:
  latest/stable: 80.0.3987.163 2020-04-05 (1077) 160MB -
  latest/candidate: 80.0.3987.163 2020-04-03 (1077) 160MB -
  latest/beta: 81.0.4044.83 2020-03-27 (1065) 161MB -
  latest/edge: 83.0.4100.3 2020-04-02 (1075) 163MB -
installed: 80.0.3987.163 (1077) 160MB -

$ journalctl -o cat -k | grep -F ' apparmor="DENIED" ' | grep -F snap.chromium.chromium | sed 's/ audit([0-9.:]\+): / audit(0): /; s/ pid=[0-9]\+ / pid=0 /' | sort | wc -l

59374

audit: type=1400 audit(0): apparmor="DENIED" operation="truncate" profile="snap.chromium.chromium" name="/home/user/snap/chromium/1071/.config/chromium/Default/History-journal" pid=0 comm="Chrome_HistoryT" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

Revision history for this message
Carlos Fuentealba (carlosfuentealba) wrote :

hello, i'm runnning ubuntu on my raspberry pi 4 and the bug is still present.

root@ubuntu:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
root@ubuntu:~# uname -a
Linux ubuntu 5.4.0-1035-raspi #38-Ubuntu SMP PREEMPT Tue Apr 20 21:37:03 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
root@ubuntu:~#

root@ubuntu:~# dpkg -l|grep snap
ii chromium-browser 1:85.0.4183.83-0ubuntu0.20.04.2 arm64 Transitional package - chromium-browser -> chromium snap
ii chromium-chromedriver 1:85.0.4183.83-0ubuntu0.20.04.2 arm64 Transitional package - chromium-chromedriver -> chromium snap
ii snapd 2.48.3+20.04 arm64 Daemon and tooling that enable snap packages

(rebooted recently)
root@ubuntu:~# journalctl -o cat -k | grep -F ' apparmor="DENIED" ' | grep -F snap.chromium.chromedriver | sed 's/ audit([0-9.:]\+): / audit(0): /; s/ pid=[0-9]\+ / pid=0 /' | sort | wc -l
179

[11580.833735] audit: type=1400 audit(1621450928.946:8103): apparmor="DENIED" operation="open" profile="snap.chromium.chromedriver" name="/proc/39286/mem" pid=39286 comm="5ac236c247044dc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Revision history for this message
Martin Büchler (mbm0811) wrote :

Ok, I am done with it, I'll have some work to do.... switching to google-chrome, bye.

Revision history for this message
vetler (vetler) wrote :

Experiencing this on
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

Any fixes available?

Revision history for this message
vetler (vetler) wrote :

$ snap info chromium
name: chromium
summary: Chromium web browser, open-source version of Chrome
publisher: Canonical✓
store-url: https://snapcraft.io/chromium
contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap
license: unset
description: |
  An open-source browser project that aims to build a safer, faster, and more
  stable way for all Internet users to experience the web.
commands:
  - chromium.chromedriver
  - chromium
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: latest/stable
refresh-date: 22 days ago, at 22:36 CET
channels:
  latest/stable: 96.0.4664.110 2021-12-15 (1854) 155MB -
  latest/candidate: 96.0.4664.110 2021-12-14 (1854) 155MB -
  latest/beta: 97.0.4692.56 2021-12-16 (1856) 154MB -
  latest/edge: 98.0.4758.9 2021-12-17 (1860) 154MB -
installed: 96.0.4664.110 (1854) 155MB -

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.