chromium snap: apparmor messages

Bug #2028547 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
New
Undecided
Unassigned

Bug Description

chromium 116.0.5845.32-hwacc 2551 latest/edge/… canonical**

I'm getting a few apparmor DENIED messages with this snap on my lunar system:

a) about /var/lib
[68468.147326] audit: type=1400 audit(1690201352.140:586): apparmor="DENIED" operation="open" class="file" profile="snap-update-ns.chromium" name="/var/lib/" pid=38424 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

b) about /etc/gnutls/config (which is a valid gnutls configuration file, just not shipped with the package, but users can create it, see [1]). I listed several messages because it's a different command in each

[68468.312147] audit: type=1400 audit(1690201352.304:589): apparmor="DENIED" operation="open" class="file" profile="snap.chromium.chromium" name="/etc/gnutls/config" pid=38507 comm="gio-querymodule" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[68468.312863] audit: type=1400 audit(1690201352.304:590): apparmor="DENIED" operation="open" class="file" profile="snap.chromium.chromium" name="/etc/gnutls/config" pid=38506 comm="gdk-pixbuf-quer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[68468.487025] audit: type=1400 audit(1690201352.480:591): apparmor="DENIED" operation="open" class="file" profile="snap.chromium.chromium" name="/etc/gnutls/config" pid=38397 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[68476.836329] audit: type=1400 audit(1690201360.828:608): apparmor="DENIED" operation="open" class="file" profile="snap.chromium.chromium" name="/etc/gnutls/config" pid=38801 comm="exe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

c) /etc/vulkan/implicit_layer.d
[68469.077529] audit: type=1400 audit(1690201353.068:595): apparmor="DENIED" operation="open" class="file" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=38625 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

1. https://ubuntu.com/server/docs/gnutls

Revision history for this message
Nathan Teodosio (nteodosio) wrote (last edit ):

Thanks for the report, Andreas.

Other than the error messages, is there any observable misbehavior? I suppose one of them would be not respecting the Gnutls global configuration.

You are using latest/edge/hwacc, correct?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Other than the error messages, is there any observable misbehavior?

There is always something odd with browsers nowadays, specially with hardware acceleration. One day it works, the next one not so well, and life moves on :) Today it was behaving very weirdly with youtube, and I had to restart it a few times. I can't tell if these apparmor DENIED messages have anything to do with it, specially the "vulkan" one. I have no idea if I'm using that or not.

> I suppose one of them would be not respecting the Gnutls global configuration.

I'm not sure what chromium uses gnutls for. As far as I know, chromium uses an embedded libnss3, or maybe even wolfssl. I was surprised to see it reaching out to a system-wide gnutls config file. But whatever it uses gnutls for, the apparmor profile is preventing it from reading the system-wide configuration settings for it.

> You are using latest/edge/hwacc, correct?

Yes, I'm tracking latest/edge/hwacc.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.