chromium fails to start with non-standard home directory

Not a duplicate
It's specific to the latest chromium snap update: it worked fine last week. (using chromium only for specific sites. The firefox-esr PPA is my daily driver).

Other snaps don't have this problem. They're still working as they did last week.

And I'm not the only one, See also:
https://forum.snapcraft.io/t/chromium-cannot-update-snap-namespace-cannot-expand-mount-entry-none-home-local-share-none-x-snapd-kind-ensure-dir-x-snapd-must-exist-dir-home-0-0-cannot-use-invalid-home-directory/39764

As far as I can tell, snap and apparmor home directories are set correctly:

user_name@computer:~$ sudo snap get system homedirs
[sudo] password for user_name:
/home/department/

user_name@computer:/home$ sudo grep -R department /etc/apparmor.d/
[sudo] password for user_name:
/etc/apparmor.d/tunables/home:@{HOMEDIRS}=/home/ /home/department/
/etc/apparmor.d/tunables/home.d/snapd:@{HOMEDIRS}+="/home/department/"
/etc/apparmor.d/tunables/home.d/ubuntu:@{HOMEDIRS}+=/home/department/

Thanks, I'll look into the issue, for now you can use `snap revert chromium` to use the previous version.

What is 'snap connections chromium | grep personal-files'? If you disconnect the dot-local-share ones, does Chromium start?

I saw in another discussion that what we (people having this issue) could have in common is an encrypted home directory. Mine is encrypted and I have the issue.
Btw, I tried 'snap revert chromium' but it reverted to a version that also doesn't start.

$ snap connections chromium | grep personal-files
personal-files chromium:chromium-config :personal-files -
personal-files chromium:dot-local-share-applications :personal-files -
personal-files chromium:dot-local-share-icons :personal-files -

How do we "disconnect the dot-local-share ones" ?

user_name@computer:~$ snap connections chromium | grep personal-files
personal-files chromium:chromium-config :personal-files -
personal-files chromium:dot-local-share-applications :personal-files -
personal-files chromium:dot-local-share-icons :personal-files -

disconnecting "chromium:dot-local-share-applications" and "chromium:dot-local-share-icons"
seems to fix the problem.

Thanks!

W;-)

PS: Can't revert as I uninstalled and reinstalled chromium yesterday when I first encountered the problem.

user_name@computer:~$ sudo snap revert chromium
error: cannot revert "chromium": no revision to revert to

$ snap disconnect chromium:dot-local-share-applications
$ snap disconnect chromium:dot-local-share-icons
also helped in my case to be able to start chromium :) But for how long ...?

Status changed to 'Confirmed' because the bug affects multiple users.

Thank you for the additional information.

enaira05, you can disconnect them with

  snap disconnect chromium:dot-local-share-applications
  snap disconnect chromium:dot-local-share-icons

wouterd, glad to hear that solves your problem.

The interface has been present for a long time. The Chromium update I released yesterday was just a new upstream release and as such introduces nothing that would trigger such an error.

On my side I can see in 'snap changes'

  1618 Done today at 12:40 CEST today at 12:43 CEST Auto-refresh snap "snapd"

So I'm placing my bets on that change.

Are you able to 'snap revert snapd' for a test? If yes, please remember to reconnect the interfaces for the test.

$ snap connect chromium:dot-local-share-applications
$ snap connect chromium:dot-local-share-icons
$ snap revert snapd
2024-04-17T14:16:18+02:00 INFO Waiting for automatic snapd restart...
snapd revenu à 2.61.2
$ chromium &

also works, so snapd update seems to be the cause :)

I don't have an encrypted home directory (though it is on a ZFS filesystem, but that one is also NOT encrypted).

W.

Thank you very much for testing that, having the input of the directly affected user is always highly valuable for debugging.

Reverting snapd fixes it for me too on multiple computers.

Thanks!

As a note for self, I diffed snapd 2.61.2 and 2.62 and found in cmd/snap-update-ns/user.go:

--->
+func isPlausibleHome(path string) error {
+ if path == "" {
+ return fmt.Errorf("cannot allow empty path")
+ }
+ if path != filepath.Clean(path) {
+ return fmt.Errorf("cannot allow unclean path")
+ }
+ if !filepath.IsAbs(path) {
+ return fmt.Errorf("cannot allow relative path")
+ }
+ const openFlags = syscall.O_NOFOLLOW | syscall.O_CLOEXEC | syscall.O_DIRECTORY
+ fd, err := sysOpen(path, openFlags, 0)
+ if err != nil {
+ return err
+ }
+ sysClose(fd)
+ return nil
+}
<---

--->
+ if err := isPlausibleHome(realHome); err != nil {
+ realHomeError = fmt.Errorf("cannot use invalid home directory %q: %v", realHome, err)
<---

It remains to be ascertained whether this lack of permission always existed but didn't cause the launch of the snap to fail.

As Nathan correctly suggest, this behaviour relates to a snapd 2.62 new ability introduced for the personal files interface, to create missing parent directories of write paths/files indicated in the plug declaration. Release notes: https://forum.snapcraft.io/t/the-snapd-roadmap/1973

isPlausibleHome() is an early check (does not result in termination itself) to determine if the calling user have access to its supposed home directory, as a basic way to verify that unintended user cannot exploit the mechanism.

In the reported case the personal-files interface connection results in a special type of mount entry
that instructs creation of missing parent directories between $HOME and $HOME/.local/share.

none $HOME/.local/share none x-snapd.kind=ensure-dir,x-snapd.must-exist-dir=$HOME 0 0

Because this entry exists (when the interface is connected), the result from isPlausibleHome() informs if directory creation within $HOME should be allowed or not. This is way disconnecting the interface would solve the problem.

(1) Please `stat /home/department/user_name`
(2) Does the "permission denied" result in any AppArmor denials?

I will do some tests myself for non-standard home directory.

1)
user_name@computer:~$ stat /home/department/user_name/
  File: /home/department/user_name/
  Size: 267 Blocks: 289 IO Block: 16384 directory
Device: 27h/39d Inode: 9542 Links: 146
Access: (0755/drwxr-xr-x) Uid: (XXXXXXXXX/user_name) Gid: (YYYYYYYY/default_group)
Access: 2024-03-20 14:50:40.921533172 +0100
Modify: 2024-04-17 18:20:30.872510781 +0200
Change: 2024-04-17 18:20:30.872510781 +0200
 Birth: 2019-06-03 16:14:43.032386913 +0200

2) as far as I know, no apparmor specific denials.
The non-standard home directory is added to the apparmor ${HOMEDIRS} paramater
(see https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/2061981/comments/3)

The only error message I get is:

user_name@computer:~$ chromium
cannot update snap namespace: cannot expand mount entry (none $HOME/.local/share none x-snapd.kind=ensure-dir,x-snapd.must-exist-dir=$HOME 0 0): cannot use invalid home directory "/home/department/user_name": permission denied
snap-update-ns failed with code 1

We've debugged this issue and the problem is caused by apparmor re-execution and configuration files being loaded from read-only snapd squashfs, thus making HOMEDIRS customization invisible.

We are still debugging it, it's not this. It's related to HOMEDIRS tunable and variable expansion, somehow.

This bug is now well-understood and a fix is proposed in: https://github.com/snapcore/snapd/pull/13853

Root cause was identified:

In the case of non-deb install (re-exec), Apparmor tunables from host /etc/apparmor.d/tunables/home.d/...
was not included in the profile for snap-update-ns. The a snapd 2.60 PR that aimed to fix home directories outside of /home/. missed adding it for the case of snap-update-ns template.

(1) fixed
https://github.com/snapcore/snapd/pull/13853

(2) and similar issue prevented in the future
https://github.com/snapcore/snapd/pull/13854

Please re-test on snapd edge tomorrow (after the nightly build that will include the fix).
It will be available in 2.63 which we are building today and releasing in approx 3 weeks.