Ubuntu
chromium-browser package

[snap] latest/candidate/hwacc channel cause lots of Apparmor noise

Bug #2000175 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

# Issue description

After installing chromium with hwacc (snap refresh chromium --channel latest/candidate/hwacc) I notice a lot of those new messages in dmesg:

Dec 20 13:38:13 sdeziel-lemur kernel: audit: type=1400 audit(1671561493.126:3297): apparmor="DENIED" operation="mknod" profile="snap.chromium.chromium" name="/etc/igfx_user_feature.txt" pid=515408 comm="chrome" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Dec 20 13:38:13 sdeziel-lemur kernel: audit: type=1400 audit(1671561493.126:3298): apparmor="DENIED" operation="mknod" profile="snap.chromium.chromium" name="/etc/igfx_user_feature_next.txt" pid=515408 comm="chrome" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Those 2 files do not exist in the host's filesystem:

$ ls /etc/igfx_user_feature.txt /etc/igfx_user_feature_next.txt
ls: cannot access '/etc/igfx_user_feature.txt': No such file or directory
ls: cannot access '/etc/igfx_user_feature_next.txt': No such file or directory

# Additional information
$ uname -a
Linux sdeziel-lemur 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04

$ snap list chromium core20 snapd
Name Version Rev Tracking Publisher Notes
chromium 107.0.5304.121-hwacc 2224 latest/candidate/… canonical✓ -
core20 20221123 1738 latest/stable canonical✓ base
snapd 2.57.6 17883 latest/stable canonical✓ snapd

Related branches

~b-stolk/chromium-browser/+git/snap-from-source:hwacc-dev
Nathan Teodosio: Approve
Diff: 42 lines (+8/-3)
3 files modified
build/args.gn (+2/-2)
launcher/chromium.launcher (+5/-1)
snapcraft.yaml (+1/-0)
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Thanks for the report.

For the record, I also don't have those igfx files, but I cannot reproduce the bug.

% uname -a
Linux canonical 5.19.0-18-generic #18-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 21 15:44:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

% snap list chromium_hwcand core20 snapd
Name Version Rev Tracking Publisher Notes
chromium_hwcand 108.0.5359.124 2254 latest/candidate/… canonical✓ -
core20 20221212 1778 latest/stable canonical✓ base
snapd 2.58 17950 latest/beta canonical✓ snapd

Changed in chromium-browser (Ubuntu):
importance: Undecided → Low
Revision history for this message
Bram Stolk (b-stolk) wrote (last edit ):

I confirm that I see the same.

I will try a non-hwacc build to see if this is specific to hwacc.

NOTE: It wants to create that file.
It uses mknod() but to create a normal file, not a special file.

On systems that have this file, it wants to open it for reading.

We should find out what is going on, here.

RELATED: https://github.com/intel/media-driver/issues/185

Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Setting to confirmed as per Bram's confirmation.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
tags: added: hwacc snap
tags: added: kivu
removed: hwacc
Revision history for this message
Bram Stolk (b-stolk) wrote :

I've traced it down to the Intel Media Driver's profiling:

https://github.com/intel/media-driver/tree/master/Tools/MediaDriverTools/UMDPerfProfiler

UMD Performance Profiler

(I am pretty sure that here, UMD stands for User Mode Driver.)

I will try to find a way to disable the profiling altogether, or at the very least make sure the media driver does not try to create these files in `/etc/` dir.

It could possibly be a build flag we should toggle.

Revision history for this message
Bram Stolk (b-stolk) wrote :

Just logging this here: I tried solving this with the `GFX_FEATURE_FILE` environment variable:

`GFX_FEATURE_FILE=$SNAP_USER_COMMON/igfx_user_feature.txt`

But unfortunately that did not prevent the media driver from using `/etc/`

I think the file name override gets taken out by the precompiler.

Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Bram Stolk (b-stolk)
Revision history for this message
Bram Stolk (b-stolk) wrote :

I have made a Pull Request for upstream.

https://github.com/intel/media-driver/pull/1588

Once this is merged and released, we should pick this up in our snap build.
By setting GFX_FEATURE_FILE and GFX_FEATURE_FILE_NEXT we can then prevent access to /etc/ dir.

Changed in chromium-browser (Ubuntu):
status: In Progress → Confirmed
Nathan Teodosio (nteodosio)
tags: added: log-noise
Changed in chromium-browser (Ubuntu):
assignee: Bram Stolk (b-stolk) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.