Launching URLs in snapped applications no longer works in 18.04

Bug #1742687 reported by Martin Wimpress 
42
This bug affects 9 people
Affects Status Importance Assigned to Milestone
AppArmor
Invalid
Undecided
Unassigned
D-Bus
New
Undecided
Unassigned
snapd (Ubuntu)
Fix Released
High
Unassigned

Bug Description

I've observed a regression in snapd on 18.04 daily where launching URLs from confined snapped applications no longer works.

## Expected behaviour

Clicking a menu entry or button that links to a URL should open the link in my default browser.

## Actual behaviour

No link is opened.

## Steps to reproduce the behaviour

  * Install Ubuntu 18.04 (daily) or Ubuntu MATE 18.04 (daily)
  * snap install gimp
  * snap run gimp
  * Mouse to Help -> GIMP Online -> Developer Website
  * The link doesn't open and an error like the following is to sent to stdout:

Error org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.4364" (uid=1000 pid=21669 comm="dbus-send --print-reply --session --dest=io.snapcr" label="snap.gimp.gimp (enforce)") interface="io.snapcraft.Launcher" member="OpenURL" error name="(unset)" requested_reply="0" destination="io.snapcraft.Launcher" (bus)
Error org.freedesktop.DBus.Error.ServiceUnknown: The name com.canonical.SafeLauncher was not provided by any .service files

## Ubuntu version

Ubuntu 18.04 (daily) and Ubuntu MATE 18.04 (daily)

## Snapd version

snap 2.30
snapd 2.30
series 16
ubuntu 18.04
kernel 4.13.0-17-generic

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Carlos Gomes (gocarlos) wrote :
Michael Vogt (mvo)
Changed in snapd (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Doing some testing it looks like an activation issue.

One curious (perhaps the bug itself) aspect is that in the denial we don’t have the peer= definition. For instance in the case of using gimp to open online documentation:

sty 15 15:34:45 kaedwen dbus-daemon[1242]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/io/snapcraft/Launcher" interface="io.snapcraft.Launcher" member="OpenURL" mask="send" name="io.snapcraft.Launcher" pid=5773 label="snap.gimp.gimp"

I’ll investigate dbus daemon next.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding apparmor since this may be related to libapparmor. zyga will provide more details, but essentially, when userd is not running (ie, dbus activation is used) and a snap tries to use userd to open a url, there is this denial:

sty 15 15:34:45 kaedwen dbus-daemon[1242]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/io/snapcraft/Launcher" interface="io.snapcraft.Launcher" member="OpenURL" mask="send" name="io.snapcraft.Launcher" pid=5773 label="snap.gimp.gimp"

even though we have this in the policy:
dbus (send)
    bus=session
    path=/io/snapcraft/Launcher
    interface=io.snapcraft.Launcher
    member=OpenURL
    peer=(label=unconfined),

Curiously, the above denial lacks a 'peer_label' (an artful, removing the above rule(s), the denial has 'peer_label=unconfined'). This does not happen on artful and the above rule is sufficient for dbus activation or not. On bionic, once userd is running, there is no denial and the browser is launched. If remove 'peer=(label=unconfined)' from the dbus rule, things work (according to zyga).

It isn't clear if this is a bug in libapparmor or dbus-daemon, so adding the apparmor task.

Steps to reproduce:
1. snap install gimp
2. ps auxww|grep userd # if 'snap userd' is running, kill it
3. /snap/bin/gimp
4. Help/Gimp Online/Developer Web Site

Note if adjusting the profile in /var/lib/snapd/apparmor/profiles/snap.gimp.gimp, there are several rules for com.canonical.SafeLauncher (the old service) and io.snapcraft.Launcher (the new service).

Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking AppArmor task as invalid. DBus now implements DBus activation mediation and so the mediated service needs to be updated when specifying peer_label with an activated service.

Changed in apparmor:
status: New → Invalid
Changed in apparmor:
status: Invalid → New
Revision history for this message
Michael Vogt (mvo) wrote :
Changed in snapd (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Carlos Gomes (gocarlos) wrote :

could we close this one?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This has been fixed for some time in snapd.

Changed in snapd (Ubuntu):
status: In Progress → Fix Released
Changed in apparmor:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.