Ubuntu
chromium-browser package

Chromium Snap & KDE Plasma 6: AppArmor Profile Update Needed

Bug #2058840 reported by Gunter Ohrner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Committed
Medium
Nathan Teodosio

Bug Description

Ubuntu 22.04 LTS Jammy x64

I hope this is the correct package to assign this request to:

In KDE Plasma 6, the Chromium snap cannot longer access KDE Wallet to decrypt its password store.

This makes all stored passwords unavailable as soon as the system is upgraded from Plasma 5 to Plasma 6.

Chromium writes the following error messages to the console:

-----------------------------------------------------------------------------
[5362:5362:0324/103716.837413:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="isEnabled" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.837451:ERROR:kwallet_dbus.cc(112)] Error contacting kwalletd6 (isEnabled)
[5362:5362:0324/103716.838022:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[5362:5362:0324/103716.838042:ERROR:kwallet_dbus.cc(81)] Error contacting klauncher to start kwalletd6
[5362:5362:0324/103716.838264:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="close" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.838295:ERROR:kwallet_dbus.cc(503)] Error contacting kwalletd6 (close)
-----------------------------------------------------------------------------

Followed by hundreds of messages as the following:

-----------------------------------------------------------------------------
ERROR:login_database.cc(1046) Password decryption failed, encryption_result is 2
-----------------------------------------------------------------------------

It appears to work to "just" whitelist the new kwalletd module name in

/var/lib/snapd/apparmor/profiles/snap.chromium.chromium (and maybe /var/lib/snapd/apparmor/profiles/snap.chromium.chromedriver ?)

followed by

$ systemctl restart apparmor
$ systemctl restart snapd.apparmor
$ systemctl restart apparmor

(Not sure if both of these are necessary, and if so, in what order.)

and completely restart Chromium.

The new KWallet section looks as follows - I only added the ",6" to the patterns:

-----------------------------------------------------------------------------

# KWallet's client API is still in use in KDE/Plasma. It's DBus API relies upon
# member data for access to its 'folders' and 'entries' and it therefore does
# not allow for application isolation via AppArmor. For details, see:
# - https://cgit.kde.org/kdelibs.git/tree/kdeui/util/kwallet.h?h=v4.14.33
#
dbus (receive, send)
    bus=session
    path=/modules/kwalletd{,5,6}
    interface=org.freedesktop.DBus.*
    peer=(label=unconfined),

dbus (receive, send)
    bus=session
    path=/modules/kwalletd{,5,6}
    interface=org.kde.KWallet
    peer=(label=unconfined),

-----------------------------------------------------------------------------

I hope that at least this report may be found by other people running into the same trouble I just did...

See original description
Tags: jammy
Gunter Ohrner (gohrner)
description: updated
Revision history for this message
Nathan Teodosio (nteodosio) wrote (last edit ):

Hi Gunter, thanks for the report. From what I understand Plasma 6 is not (and will not be) available in Ubuntu 24.04, did you get it in by building it from source or by using some PPA? I ask because it would be nice to reproduce your observations before incorporating a fix.

Many thanks for raising this way before Plasma 6 is released to Ubuntu, this way we can assure this bug is gone by the time Plasma 6 becomes officially supported in Ubuntu.

Revision history for this message
Gunter Ohrner (gohrner) wrote :

> Many thanks for raising this way before Plasma 6 is released to Ubuntu, this way we can assure this bug is gone by the time Plasma 6 becomes officially supported in Ubuntu.

This was my intend. :)

I'm using KDE neon, which is an extension of Ubuntu 22.04 providing the most recent KDE applications.

* https://neon.kde.org/

Obviously, this comes with some breakage from time to time which I normally report against neon itself, but this time it looked more sensible to report it here against the Chromium snap.

A fix will already help all KDE neon users which use Chromium and use KDE wallet to store Chromium Password wallet's master password.

Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Nathan Teodosio (nteodosio)
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Opened merge request for Snapd: https://github.com/snapcore/snapd/pull/13757.

Revision history for this message
Ernest Lotter (ernestl) wrote :

Nathan, thanks for the snapd contribution, it is merged and will be available in snapd 2.63 that will be available in beta by Monday 15 April.

Nathan Teodosio (nteodosio)
Changed in chromium-browser (Ubuntu):
status: Triaged → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.