Ubuntu
chromium-browser package

[snap] apparmor denials on /sys/devices/virtual/dmi/id/sys_vendor and product_name

Bug #1862262 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

When starting chromium's snap, those messages are logged:

Feb 6 12:34:17 foo kernel: [106190.836260] audit: type=1400 audit(1581010457.097:1372): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=20044 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 6 12:34:17 foo kernel: [106190.836401] audit: type=1400 audit(1581010457.097:1373): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/virtual/dmi/id/product_name" pid=20044 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 6 12:34:17 foo chromium_chromium.desktop[20044]: [20191:20191:0206/123417.177438:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.

Chromium seemingly behaves OK but possibly with reduced sandboxing?

Additional info:

$ snap info chromium
name: chromium
summary: Chromium web browser, open-source version of Chrome
publisher: Canonical✓
contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap
license: unset
description: |
  An open-source browser project that aims to build a safer, faster, and more stable way for all
  Internet users to experience the web.
commands:
  - chromium.chromedriver
  - chromium
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: stable
refresh-date: yesterday at 17:45 EST
channels:
  stable: 80.0.3987.87 2020-02-05 (1016) 160MB -
  candidate: 80.0.3987.87 2020-02-05 (1016) 160MB -
  beta: 80.0.3987.85 2020-02-04 (1014) 160MB -
  edge: 81.0.4040.5 2020-02-06 (1018) 161MB -
installed: 80.0.3987.87 (1016) 160MB -

$ uname -a
Linux simon-lemur 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04

Tags: log-noise snap
Revision history for this message
walterav (walterav) wrote :

Also affected here, with alot more messages from audit: type=1400 apparmor="DENIED" operation="mknod / open / unlink / truncate / dbus_method_call etc..."

[ 7817.510475] audit: type=1400 audit(1582191723.992:6264): apparmor="DENIED" operation="truncate" profile="snap.chromium.chromium" name="/home/username/snap/chromium/1026/.config/chromium/Default/Favicons-journal" pid=4639 comm="Chrome_HistoryT" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 7825.615310] audit: type=1400 audit(1582191732.100:6278): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F756174702F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F43757272656E742053657373696F6E pid=4639 comm="ThreadPoolForeg" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 7827.273968] audit: type=1400 audit(1582191733.756:6281): apparmor="DENIED" operation="mknod" profile="snap.chromium.chromium" name="/home/username/snap/chromium/1026/.config/chromium/.org.chromium.Chromium.mrO80f" pid=4639 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 8365.423097] audit: type=1400 audit(1582192271.910:7069): apparmor="DENIED" operation="unlink" profile="snap.chromium.chromium" name="/home/username/snap/chromium/1026/.config/chromium/SingletonLock" pid=4639 comm="chrome" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
[ 8417.535810] audit: type=1107 audit(1582192324.023:7286): pid=1299 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=11273 label="snap.chromium.chromium"

$ snap list
Name Version Rev Tracking Publisher Notes
chromium 80.0.3987.116 1036 stable canonical✓ -

$ uname -a
Linux lacol 5.3.0-40-generic #32-Ubuntu SMP Fri Jan 31 20:24:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -rd
Description: Ubuntu 19.10
Release: 19.10

Simon Déziel (sdeziel)
tags: added: snap
Revision history for this message
Jalon Funk (francescohickle15) wrote :

The "denials on /sys/devices/virtual/dmi/id/sys_vendor and product_name" will be fixed in next snapd release (2.43.4?): https://github.com/snapcore/snapd/commit/3ad3e7fbba13721eeaab8dd85a5640316b1c1606

The "ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process." is known chromium bug which results in disabled gpu sandbox: https://bugs.chromium.org/p/chromium/issues/detail?id=264818

This isn't related to snap and the only fix for now is to set MESA_GLSL_CACHE_DISABLE=true environment variable.

@walterav your issues seem unrelated to those. Please open separate report.

Revision history for this message
Simon Déziel (sdeziel) wrote :

So this bug will be fixed when snapd's 2.43 SRU goes through. I appreciate the pointer for the gpu-process sanboxing problem and its workaround! Many thanks Jalon!

Revision history for this message
Simon Déziel (sdeziel) wrote :

I can confirm the denials on /sys/devices/virtual/dmi/id/sys_vendor and product_name are gone now, thanks!

$ snap list snapd
Name Version Rev Tracking Publisher Notes
snapd 2.57.4 17336 latest/stable canonical✓ snapd

Changed in chromium-browser (Ubuntu):
status: New → Fix Released
Nathan Teodosio (nteodosio)
tags: added: log-noise
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.