Ubuntu
gnome-system-monitor package

Apparmor Permission Denied (apparmor="DENIED")

Bug #1778332 reported by Clement Yuan
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-system-monitor (Ubuntu)
Expired
Low
Unassigned

Bug Description

I try to launch the system monitor but nothing show up.

journalctl -f
Result:
Jun 23 19:04:24 laptop-hostname audit[8109]: AVC apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid"
Jun 23 19:04:24 laptop-hostname kernel: audit: type=1400 audit(1529751864.744:47): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid"
Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted
Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: snap-update-ns failed with code 1: File exists
Jun 23 19:04:28 laptop-hostname pkexec[8128]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)

/var/log/syslog
Result:
Jun 23 19:03:17 laptop-hostname kernel: [ 433.266715] audit: type=1400 audit(1529751797.796:42): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/snap/gnome-system-monitor/45/gnome-platform/" pid=7471 comm="3" srcname="/snap/gnome-3-26-1604/64/" flags="rw, bind"
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.799121 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/snap/gnome-3-26-1604/64 /snap/gnome-system-monitor/45/gnome-platform none bind,ro 0 0): permission denied
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.833637 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): permission denied
Jun 23 19:03:17 laptop-hostname kernel: [ 433.301209] audit: type=1400 audit(1529751797.828:43): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/local/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind"
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.835300 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.838094 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/var/cache/fontconfig /var/cache/fontconfig none bind,ro 0 0): permission denied
Jun 23 19:03:17 laptop-hostname kernel: [ 433.302850] audit: type=1400 audit(1529751797.832:44): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind"
Jun 23 19:03:17 laptop-hostname kernel: [ 433.305652] audit: type=1400 audit(1529751797.832:45): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/var/cache/fontconfig/" pid=7471 comm="3" flags="ro, remount, bind"
Jun 23 19:03:17 laptop-hostname kernel: [ 433.336540] audit: type=1400 audit(1529751797.864:46): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=7478 comm="3" capability=6 capname="setgid"
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted
Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: snap-update-ns failed with code 1
Jun 23 19:03:18 laptop-hostname PackageKit: resolve transaction /260_bebcecdc from uid 1000 finished with success after 610ms

Tags: snap
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-system-monitor (Ubuntu):
status: New → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, do you still get that issue? What Ubuntu version do you use? What actions do you do exactly to trigger the errors?

Changed in gnome-system-monitor (Ubuntu):
importance: Undecided → Low
status: Confirmed → Incomplete
tags: added: snap
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for gnome-system-monitor (Ubuntu) because there has been no activity for 60 days.]

Changed in gnome-system-monitor (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Charles A Sharp (cas-nixster) wrote :

My System 76 Oryx Pro laptop is currently experiencing a severe battery drain.

While looking for the cause, I noticed /var/log/syslog is being hit with thousands of messages similar to this, for example:

Nov 11 09:47:56 <hostname> kernel: audit: type=1400 audit(1573487276.018:797080): apparmor="DENIED" operation="open" profile="snap.gnome-system-monitor.gnome-system-monitor" name="/run/systemd/sessions/c1" pi d=8733 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I'm currently running Ubuntu 19.10.

/proc/version shows:
Linux version 5.3.0-20-generic (buildd@lgw01-amd64-029) (gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2)) #21+system76~1572304854~19.10~8caa3e6~dev-Ubuntu SMP Tue Oct 29

Thanks

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Nov 11 09:47:56 <hostname> kernel: audit: type=1400 audit(1573487276.018:797080): apparmor="DENIED" operation="open" profile="snap.gnome-system-monitor.gnome-system-monitor" name="/run/systemd/sessions/c1" pi d=8733 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I'm able to reproduce this on 19.10 under X11 (but not Wayland) in the default install. I'll update snap for this denial. That fix should be in snapd 2.43.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Clement, your issue is different than Charles'. More information is required from you to triage your issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.