| 2024-03-24 11:19:23 |
Gunter Ohrner |
description |
I hope this is the correct package to assign this request to:
In KDE Plasma 6, the Chromium snap cannot longer access KDE Wallet to decrypt its password store.
This makes all stored passwords unavailable as soon as the system is upgraded from Plasma 5 to Plasma 6.
Chromium writes the following error messages to the console:
-----------------------------------------------------------------------------
[5362:5362:0324/103716.837413:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="isEnabled" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.837451:ERROR:kwallet_dbus.cc(112)] Error contacting kwalletd6 (isEnabled)
[5362:5362:0324/103716.838022:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[5362:5362:0324/103716.838042:ERROR:kwallet_dbus.cc(81)] Error contacting klauncher to start kwalletd6
[5362:5362:0324/103716.838264:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="close" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.838295:ERROR:kwallet_dbus.cc(503)] Error contacting kwalletd6 (close)
-----------------------------------------------------------------------------
Followed by hundreds of messages as the following:
-----------------------------------------------------------------------------
ERROR:login_database.cc(1046) Password decryption failed, encryption_result is 2
-----------------------------------------------------------------------------
It appears to work to "just" whitelist the new kwalletd module name in
/var/lib/snapd/apparmor/profiles/snap.chromium.chromium (and maybe /var/lib/snapd/apparmor/profiles/snap.chromium.chromedriver ?)
followed by
$ systemctl restart apparmor
$ systemctl restart snapd.apparmor
$ systemctl restart apparmor
(Not sure if both of these are necessary, and if so, in what order.)
and completely restart Chromium.
The new KWallet section looks as follows - I only added the ",6" to the patterns:
-----------------------------------------------------------------------------
# KWallet's client API is still in use in KDE/Plasma. It's DBus API relies upon
# member data for access to its 'folders' and 'entries' and it therefore does
# not allow for application isolation via AppArmor. For details, see:
# - https://cgit.kde.org/kdelibs.git/tree/kdeui/util/kwallet.h?h=v4.14.33
#
dbus (receive, send)
bus=session
path=/modules/kwalletd{,5,6}
interface=org.freedesktop.DBus.*
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/modules/kwalletd{,5,6}
interface=org.kde.KWallet
peer=(label=unconfined),
-----------------------------------------------------------------------------
I hope that at least this report may be found by other people running into the same trouble I just did... |
Ubuntu 22.04 LTS Jammy x64
I hope this is the correct package to assign this request to:
In KDE Plasma 6, the Chromium snap cannot longer access KDE Wallet to decrypt its password store.
This makes all stored passwords unavailable as soon as the system is upgraded from Plasma 5 to Plasma 6.
Chromium writes the following error messages to the console:
-----------------------------------------------------------------------------
[5362:5362:0324/103716.837413:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="isEnabled" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.837451:ERROR:kwallet_dbus.cc(112)] Error contacting kwalletd6 (isEnabled)
[5362:5362:0324/103716.838022:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[5362:5362:0324/103716.838042:ERROR:kwallet_dbus.cc(81)] Error contacting klauncher to start kwalletd6
[5362:5362:0324/103716.838264:ERROR:object_proxy.cc(576)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd6: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.113" (uid=1000 pid=5362 comm="/snap/chromium/2786/usr/lib/chromium-browser/chrom" label="snap.chromium.chromium (enforce)") interface="org.kde.KWallet" member="close" error name="(unset)" requested_reply="0" destination="org.kde.kwalletd6" (uid=1000 pid=2523 comm="/usr/bin/kwalletd6 --pam-login 13 14 " label="unconfined")
[5362:5362:0324/103716.838295:ERROR:kwallet_dbus.cc(503)] Error contacting kwalletd6 (close)
-----------------------------------------------------------------------------
Followed by hundreds of messages as the following:
-----------------------------------------------------------------------------
ERROR:login_database.cc(1046) Password decryption failed, encryption_result is 2
-----------------------------------------------------------------------------
It appears to work to "just" whitelist the new kwalletd module name in
/var/lib/snapd/apparmor/profiles/snap.chromium.chromium (and maybe /var/lib/snapd/apparmor/profiles/snap.chromium.chromedriver ?)
followed by
$ systemctl restart apparmor
$ systemctl restart snapd.apparmor
$ systemctl restart apparmor
(Not sure if both of these are necessary, and if so, in what order.)
and completely restart Chromium.
The new KWallet section looks as follows - I only added the ",6" to the patterns:
-----------------------------------------------------------------------------
# KWallet's client API is still in use in KDE/Plasma. It's DBus API relies upon
# member data for access to its 'folders' and 'entries' and it therefore does
# not allow for application isolation via AppArmor. For details, see:
# - https://cgit.kde.org/kdelibs.git/tree/kdeui/util/kwallet.h?h=v4.14.33
#
dbus (receive, send)
bus=session
path=/modules/kwalletd{,5,6}
interface=org.freedesktop.DBus.*
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/modules/kwalletd{,5,6}
interface=org.kde.KWallet
peer=(label=unconfined),
-----------------------------------------------------------------------------
I hope that at least this report may be found by other people running into the same trouble I just did... |
|
