webbrowser-app crashes on startup on fresh zesty Unity8: No suitable EGL configs found

Bug #1590561 reported by Ilija Ćosić on 2016-06-08
58
This bug affects 10 people
Affects Status Importance Assigned to Milestone
AppArmor
High
Olivier Tilloy
Canonical System Image
Critical
David Barth
Oxide
Critical
Santosh
apparmor (Ubuntu)
Critical
Olivier Tilloy
unity8 (Ubuntu)
Critical
Unassigned
webbrowser-app (Ubuntu)
Critical
Olivier Tilloy

Bug Description

When trying to start webbrowser-app a unresponsive window appears and after a few moments it crashes.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: webbrowser-app 0.23+16.04.20160413-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 8 22:56:35 2016
InstallationDate: Installed on 2016-04-28 (41 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: webbrowser-app
UpgradeStatus: No upgrade log present (probably fresh install)

Ilija Ćosić (cosic-ilija) wrote :
tags: added: webbrowser-app
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in webbrowser-app (Ubuntu):
status: New → Confirmed
Changed in webbrowser-app (Ubuntu):
importance: Undecided → High
Changed in webbrowser-app (Ubuntu):
importance: High → Critical
Daniel van Vugt (vanvugt) wrote :

Confirmed, still crashing reliably on zesty in Unity8.

It seems this may be related to AA denials

summary: - webbrowser-app crashes on startup
+ webbrowser-app crashes on startup on fresh zesty
Changed in canonical-devices-system-image:
importance: Undecided → Critical
assignee: nobody → David Barth (dbarth)
kevin gunn (kgunn72) wrote :

see logs attached

kevin gunn (kgunn72) wrote :
Changed in canonical-devices-system-image:
status: New → Confirmed
tags: added: unity8-desktop
summary: - webbrowser-app crashes on startup on fresh zesty
+ webbrowser-app crashes on startup on fresh zesty Unity8

One would think that with thousands of crash reports from webbrowser-app, one of them should be this bug...?

https://errors.ubuntu.com/?package=webbrowser-app&period=month

Daniel van Vugt (vanvugt) wrote :

application-legacy-webbrowser-app-.log:

Loading module: 'libubuntu_application_api_desktop_mirclient.so.3.0.0'
MESA-LOADER: failed to retrieve device information
QEGLPlatformContext: Failed to create context: 3009
QEGLPlatformContext: Failed to create context: 3009
could not open containers config file "/home/dan/.local/share/libertine/ContainersConfig.json"
[0127/102127:ERROR:oxide_qt_gl_context_dependent.cc(82)] Unable to create adopted GL context for platform: ubuntumirclient - unexpected result from QPlatformNativeInterface::nativeResourceForContext
[0127/102127:ERROR:gl_surface_egl.cc(378)] No suitable EGL configs found.
[0127/102127:ERROR:gl_context_egl.cc(50)] eglGetConfigAttrib failed with error EGL_BAD_CONFIG
Loading module: 'libubuntu_application_api_desktop_mirclient.so.3.0.0'
MESA-LOADER: failed to retrieve device information
QEGLPlatformContext: Failed to create context: 3009
QEGLPlatformContext: Failed to create context: 3009
could not open containers config file "/home/dan/.local/share/libertine/ContainersConfig.json"
[0127/104815:ERROR:oxide_qt_gl_context_dependent.cc(82)] Unable to create adopted GL context for platform: ubuntumirclient - unexpected result from QPlatformNativeInterface::nativeResourceForContext
[0127/104815:ERROR:gl_surface_egl.cc(378)] No suitable EGL configs found.
[0127/104815:ERROR:gl_context_egl.cc(50)] eglGetConfigAttrib failed with error EGL_BAD_CONFIG

Daniel van Vugt (vanvugt) wrote :

This seems to be a common problem with some different flavors. Oxide fails to launch because it can't find a satisfying GL configuration.

See also:
  bug 1500117 (reported 40187 times so far on errors.ubuntu.com)
  bug 1573762

Changed in oxide-qt (Ubuntu):
importance: Undecided → Critical
status: New → Confirmed
Olivier Tilloy (osomon) on 2017-01-27
summary: - webbrowser-app crashes on startup on fresh zesty Unity8
+ webbrowser-app crashes on startup on fresh zesty Unity8: No suitable EGL
+ configs found
affects: oxide-qt (Ubuntu) → oxide
Changed in webbrowser-app (Ubuntu):
status: Confirmed → Invalid
David Barth (dbarth) wrote :

Is there something in syslog ? like apparmor not authorizing access to certain interfaces?

Chris Coulson (chrisccoulson) wrote :

Oxide failing to create a GL context isn't your only issue here, as Qt also fails to create one (which happens completely independently of Oxide)

Pat McGowan (pat-mcgowan) wrote :

On unity7
Browser (from deb) it crashes.
I installed the webbrowser-app snap and it runs perfectly along with the platform snap.

Unity8
from the scope or drawer the browser just creates a black xmir window. From the command line it complains it cannot connect to mir.
From teh scope or drawers the snap browser just opens a window with the startup screen and spins.
From the command line the snap works

Other apps (settings, terminal) run fine

David Barth (dbarth) on 2017-01-31
Changed in oxide:
assignee: nobody → Santosh (santoshbit2007)
Changed in webbrowser-app (Ubuntu):
assignee: nobody → Santosh (santoshbit2007)
Santosh (santoshbit2007) wrote :

unity8/zesty:

In case browser startup screen and spins. it works and load page after disabling apparmor service

Gerry Boland (gerboland) wrote :

I've a bunch of questions. Any time you see EGL complaints, it is often down to the graphics driver.

1. is this complaint for an NVidia-based system only? The log indicates it has the proprietary nvidia driver installed, which Mir does not support (and so Unity8 does not run). How are you testing?

I've tested recent Zesty on my AMD machine, and it didn't crash like this! (It was getting graphics distortion though)

2. can you export QSG_INFO=1, run the browser and pastebin the output please?

3. was there a recent webbrowser release or something that showed this problem, or has it been around for a while?

kevin gunn (kgunn72) wrote :

re: Gerry's questions

At least for me
1) this an intel gpu, also i see AA denials in syslog upon attempting to launch this. I just ran it and confirmed that again (and previous syslog excerpt attached by me above)
2) see attached file
3) this bug has been around a long time, but it's sounding like some people experience AA denials and others experience failing EGL setup - so possibly more than 1 bug

Daniel van Vugt (vanvugt) wrote :

Gerry,

We have somewhat commandeered this bug. It's being experienced on Intel graphics by most people, despite the description mentioning nvidia up top. There is a separate bug (which I can't find right now) for nvidia driver failures, but given Mir doesn't actually support the Nvidia driver yet I find that part confusing too.

Olivier Tilloy (osomon) wrote :

I don’t have a machine running zesty atm but according to comment #13 from Santosh, disabling apparmor confinement for webbrowser-app allows the app to launch. Which would confirm that the problem is caused by an apparmor denial that prevents Qt (and oxide) to find a suitable EGL config.

From Kevin’s logs in comment #5, the following denial stands out as possibly related:

Jan 26 11:46:48 kg-Studio-1737 kernel: [11478.602886] audit: type=1400 audit(1485452808.772:62): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=3487 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Santosh (santoshbit2007) wrote :

Just to clarify actually I didn't see any crash in my test(unity8/zesty/radeon gpu), App gets launched but keeps spinning, same result as Pat mentioned above.

After disabling apparmor service webbrowser-app works fine.

@santosh: can you detail the apparmor denial, if any, that you experience
when the app hangs?
Also, when that happens, what are the function calls made by Oxide that
trigger that ?
Knowing which calls are made would probably help people on this thread to
know where this breaks. (or hangs).

On Wed, Feb 8, 2017 at 11:02 AM, Santosh <email address hidden>
wrote:

> Just to clarify actually I didn't see any crash in my
> test(unity8/zesty/radeon gpu), App gets launched but keeps spinning,
> same result as Pat mentioned above.
>
> After disabling apparmor service webbrowser-app works fine.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1590561
>
> Title:
> webbrowser-app crashes on startup on fresh zesty Unity8: No suitable
> EGL configs found
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1590561/+
> subscriptions
>

Santosh (santoshbit2007) wrote :

Environment: zesty/unity8/radeongpu

I can see the EGL crash in my radeon gpu from command line
$ webbrowser-app --desktop_file_hint=/usr/share/applications/webbrowser-app.desktop

The Crash doesn't happen if I unload the webbrowser apparmor profile.

Looking further on apparmor denial I see few number of message with apparmor=DENIED.
I tried overriding that in webbrowser-app profile to find out actual missing privilege.
and adding these in webbrowser-app profile fixes the issue:

/sys/devices/pci[0-9]*/**/config r,

This also solves webbrowser spinning problem when launched from scopes

David Barth (dbarth) wrote :

Interesting, and thanks for proposing a fix.

I guess some further information will still be needed to understand whether
to open the apparmor profile to access those, or if that is wrong from a
confinement perspective.

Can you find which Qt function and/or Oxide calls are made that trigger the
access to this? is the app / lib specifically scanning the hardware to know
about devices ? or is it due to the EGL driver (either userland or kernel) ?

On Wed, Feb 8, 2017 at 3:39 PM, Santosh <email address hidden> wrote:

> Environment: zesty/unity8/radeongpu
>
> I can see the EGL crash in my radeon gpu from command line
> $ webbrowser-app --desktop_file_hint=/usr/share/applications/webbrowser-
> app.desktop
>
> The Crash doesn't happen if I unload the webbrowser apparmor profile.
>
> Looking further on apparmor denial I see few number of message with
> apparmor=DENIED.
> I tried overriding that in webbrowser-app profile to find out actual
> missing privilege.
> and adding these in webbrowser-app profile fixes the issue:
>
> /sys/devices/pci[0-9]*/**/config r,
>
> This also solves webbrowser spinning problem when launched from scopes
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1590561
>
> Title:
> webbrowser-app crashes on startup on fresh zesty Unity8: No suitable
> EGL configs found
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1590561/+
> subscriptions
>

Santosh (santoshbit2007) wrote :

Crash is triggred When webbrowwser-app tries to create OpenGLContext. and it happens with creation of qml window. this context is shared with oxide so oxide shows error while using context.

I could get same egl error log[1] by triggering this call:
QOpenGLContext ctx;
ctx.create()

So In theory it should trigger crash for all Qt5 app (if window is created and they have apparmor profile). I couldn't find any app in current desktop to test it.

[1]
QEGLPlatformContext: Failed to create context: 3009
QEGLPlatformContext: Failed to create context: 3009

Ilija Ćosić (cosic-ilija) wrote :
Download full text (5.4 KiB)

@Gerry Boland (gerboland)
@Daniel van Vugt (vanvugt)

I just want to clarify the confusion you have with nVidia drivers.
When I reported the bug I encountered it on Xenial (without Mir) and the title changes covering Zesty (Unity8/Mir) where made by Daniel along the way (comment #3). Thus my graphics drivers mentioned in the bug description should not be of any importance for Mir.

Running webbrowser-app on the original machine (Ubuntu 16.04 with newest updates) now creates and destroys the window almost immediately.

Output:

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.
unity::action::ActionManager::ActionManager(QObject*):
 Could not determine application identifier. HUD will not work properly.
 Provide your application identifier in $APP_ID environment variable.
UCUriHandler: Empty "APP_ID" environment variable, ignoring.
file:///usr/share/webbrowser-app/webbrowser/ContentPickerDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/ContentDownloadDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/ContentHandler.qml:20:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/DownloadHandler.qml:20:1: module "Ubuntu.DownloadManager" is not installed
(webbrowser-app:24453): IBUS-WARNING **: Unable to connect to ibus: Could not connect: Permission denied
[0213/183605.596565:ERROR:oxide_qt_gl_context_dependent.cc(82)] Unable to create adopted GL context for platform: xcb - unexpected result from QPlatformNativeInterface::nativeResourceForContext
shm_open() failed: Permission denied

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.
[0213/183607.805040:ERROR:gl_context_glx.cc(196)] Failed to create GL context with glXCreateContextAttribsARB.
[0213/183607.805071:ERROR:gpu_info_collector.cc(50)] gl::init::CreateGLContext failed
[0213/183607.805081:ERROR:gpu_info_collector.cc(118)] Could not create context for info collection.
[0213/183607.805099:ERROR:oxide_browser_main_parts.cc(326)] gpu::CollectContextGraphicsInfo failed

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:24453): dconf-CRITICAL **: unable to create fi...

Read more...

Daniel van Vugt (vanvugt) wrote :

Thanks. Those errors agree with with most of us are seeing; permission denied (in various places).

Assuming the process hasn't changed userid, then it's a confinement/apparmor bug. More people need to verify comment #20 maybe...

David Barth (dbarth) wrote :

Just to add that the dconf errors are harmless, as confirmed by oSoMon.

David Barth (dbarth) wrote :

@jdstrand : apparently this issue would need the policy to be relaxed to allow for EGL context creation (see comment #20).

Now, I am not sure if that requires more checks as to whether this is a legit access request, or if drivers and or the stack need changes to make this a safe operation. WDYT?

Ilija Ćosić (cosic-ilija) wrote :
Download full text (4.8 KiB)

Following comment #20 nothing really changed for me on Xenial, the only difference is with the second part the window takes again a longer time to be destroyed.

$ webbrowser-app --desktop_file_hint=/usr/share/applications/webbrowser-app.desktop

Output:
(webbrowser-app:20815): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:20815): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.

(webbrowser-app:20815): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. dconf will not work properly.
unity::action::ActionManager::ActionManager(QObject*):
 Could not determine application identifier. HUD will not work properly.
 Provide your application identifier in $APP_ID environment variable.
UCUriHandler: Empty "APP_ID" environment variable, ignoring.
file:///usr/share/webbrowser-app/webbrowser/ContentPickerDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/ContentDownloadDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/ContentHandler.qml:20:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/DownloadHandler.qml:20:1: module "Ubuntu.DownloadManager" is not installed

(webbrowser-app:20815): IBUS-WARNING **: Unable to connect to ibus: Could not connect: Permission denied
Failed to create OpenGL context for format QSurfaceFormat(version 2.0, options QFlags(), depthBufferSize 24, redBufferSize -1, greenBufferSize -1, blueBufferSize -1, alphaBufferSize -1, stencilBufferSize 8, samples -1, swapBehavior 2, swapInterval 1, profile 0)
Aborted (core dumped)

-----------------------------

Adding "/sys/devices/pci[0-9]*/**/config r," to webbrowser apparmor profile.

Output:

unity::action::ActionManager::ActionManager(QObject*):
 Could not determine application identifier. HUD will not work properly.
 Provide your application identifier in $APP_ID environment variable.
UCUriHandler: Empty "APP_ID" environment variable, ignoring.
file:///usr/share/webbrowser-app/webbrowser/ContentPickerDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/ContentDownloadDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/ContentHandler.qml:20:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/DownloadHandler.qml:20:1: module "Ubuntu.DownloadManager" is not installed
(webbrowser-app:20702): IBUS-WARNING **: Unable to connect to ibus: Could not connect: Permission denied
[0214/235344.331855:ERROR:oxide_qt_gl_context_dependent.cc(82)] Unable to create adopted GL context for platform: xcb - unexpected result from QPlatformNativeInterface::nativeResourceForContext
shm_open() failed: Permission denied

[0214/235346.452672:ERROR:gl_context_glx.cc(196)] Failed to create GL context with glXCreateContextAttribsARB.
[0214/235346.452702:ERROR:gpu_info_collector.cc(50)] gl::init::CreateGLContext failed
[0214/235346.452711:ERROR:gpu_info_collector....

Read more...

Santosh (santoshbit2007) wrote :

@ Ilija

I tried on unity7/16.04/nvidia with nouveau driver and didn't see any crash as such.
But webbrowser-app crash on 17.04/unity7 which is related to https://bugs.launchpad.net/bugs/1649262, Here nvidia drivers is not getting loaded by mesa.

Well, unity8/17.04 is apparmor issue but this(16.04/unity7) seems to be related to drivers, May I know which nvidia driver you are using?

Ilija Ćosić (cosic-ilija) wrote :

Sure, driver is nvidia-367.57-0ubuntu0.16.04.1

I never had any graphics problems with any other browser, game or video player. What's so special about webbrower-app?

Santosh (santoshbit2007) wrote :

@Ilija

Could your try running after disabling apparmor profile for webbrpwser-app
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.webbrowser-app

and let me know the result

Ilija Ćosić (cosic-ilija) wrote :

@Santosh

Now it works!

Output:

unity::action::ActionManager::ActionManager(QObject*):
 Could not determine application identifier. HUD will not work properly.
 Provide your application identifier in $APP_ID environment variable.
UCUriHandler: Empty "APP_ID" environment variable, ignoring.
file:///usr/share/webbrowser-app/webbrowser/ContentPickerDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/ContentDownloadDialog.qml:22:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/ContentHandler.qml:20:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/webbrowser/DownloadHandler.qml:20:1: module "Ubuntu.DownloadManager" is not installed

qml: Loaded 8 UA override(s) from file:///usr/lib/x86_64-linux-gnu/qt5/qml/Ubuntu/Web/ua-overrides-desktop.js
OxideQQuickWebView: canGoForward is deprecated. Please use the API provided by OxideQQuickNavigationHistory instead
OxideQQuickWebView: canGoBack is deprecated. Please use the API provided by OxideQQuickNavigationHistory instead
TouchSelectionController::active is deprecated, use TouchSelectionController::status instead
file:///usr/share/webbrowser-app/Downloader.qml:22:1: module "Ubuntu.DownloadManager" is not installed
file:///usr/share/webbrowser-app/Downloader.qml:23:1: module "Ubuntu.Content" is not installed
file:///usr/share/webbrowser-app/Downloader.qml:22:1: module "Ubuntu.DownloadManager" is not installed
file:///usr/share/webbrowser-app/Downloader.qml:23:1: module "Ubuntu.Content" is not installed
qml: System low on memory, but unable to pick a tab to unload
[PERFORMANCE]: Last frame took 545 ms to render.
[0217/181627.074883:ERROR:layer_tree_host_impl.cc(2174)] Forcing zero-copy tile initialization as worker context is missing

** (webbrowser-app:11243): WARNING **: Unable to register app: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: Invalid application ID
qml: System low on memory, but unable to pick a tab to unload

Daniel van Vugt (vanvugt) wrote :

If /etc/apparmor.d/usr.bin.webbrowser-app is related to the problem/solution then the correct package is 'webbrowser-app'. Re-confirmed.

Changed in webbrowser-app (Ubuntu):
status: Invalid → Confirmed
Santosh (santoshbit2007) wrote :

@ Ilija

Then this also seems to issue with apparmor access, So could you give me full /var/log/syslog.

Ilija Ćosić (cosic-ilija) wrote :

@Santosh

After boot
1. $ webbrowser-app -> crash

2. $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.webbrowser-app

3. $ webbrowser-app -> works

Attached: /var/log/syslog

Santosh (santoshbit2007) wrote :

@ ilija

Thanks for syslog,

I checked log, there is apparmor denail for /dev/nvidiactl
Feb 20 16:28:07 Silver kernel: [ 117.797833] audit: type=1400 audit(1487604487.352:57): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/nvidiactl" pid=3124 comm="webbrowser-app" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

since I could not reproduce issue in my pc, I tried in reverse way, denying apparmor acess to /dev/nvidiactl and I could see exact same crash.

So To validate that I need your help.
Add path in profile:
$ sudo vim /etc/apparmor.d/user.bin.webbrowser-app
      add /dev/nvidiactl --> [/dev/nvidiactl rw,]

Reload the profile
$sudo apparmor_parser -r /etc/apparmor.d/usr.bin.webbrowser-app
$webbrowser-app // should works.

I am still wondering why crash is not happening in any other machine(including mine)

Ilija Ćosić (cosic-ilija) wrote :

@Santosh

Still crashing.

The apparmor denial for /dev/nvidiactl is gone but now running webbrowser-app raises either ibus warning or broker_posix error.

(webbrowser-app:9751): IBUS-WARNING **: Unable to connect to ibus: Could not connect: Permission denied

or

[0100/000000.144346:ERROR:broker_posix.cc(41)] Invalid node channel message

In syslog denials remain for:

/usr/share/nvidia-367/nvidia-application-profiles-367.57-rc -> requested_mask="r" denied_mask="r"
/proc/modules -> requested_mask="r" denied_mask="r"
/proc/driver/nvidia/params -> requested_mask="r" denied_mask="r"
/dev/nvidia-modeset -> requested_mask="wr" denied_mask="wr"

This denial doesn't show when apparmor profile is disabled:

Feb 20 20:29:33 Silver kernel: [14603.902240] audit: type=1400 audit(1487618973.243:140): apparmor="DENIED" operation="connect" profile="webbrowser-app" pid=9498 comm="webbrowser-app" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-RC4AOnvw" peer="unconfined"

Attached: last part of /var/log/syslog

Seth Arnold (seth-arnold) wrote :

If webbrowser-app needs access to nvidia hardware (does it?) using the <abstractions/nvidia> file is probably easier than figuring out each access one at a time.

Thanks

David Barth (dbarth) wrote :

webbrowser-app and all other Qt apps trying to get an EGL handle, via Mir
then.

This means : should the policy be updated to have all Qt apps get this
access level ? or should that stay as a per-app decision ?

On Tue, Feb 21, 2017 at 8:44 PM, Seth Arnold <email address hidden>
wrote:

> If webbrowser-app needs access to nvidia hardware (does it?) using the
> <abstractions/nvidia> file is probably easier than figuring out each
> access one at a time.
>
> Thanks
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1590561
>
> Title:
> webbrowser-app crashes on startup on fresh zesty Unity8: No suitable
> EGL configs found
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1590561/+
> subscriptions
>

Jamie Strandboge (jdstrand) wrote :

For the ibus denial you need:
  #include <abstractions/ibus>

For nvidia, you need:
  #include <abstractions/nvidia>
  @{PROC}/driver/nvidia/params r,
  /dev/nvidia* rw,
  unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),

(the apparmor abstraction needs to be updated for newer nvidia).

What happens if you add the above to the profile (and reload the profile with 'sudo apparmor_parser -r /path/to/profile')?

Ilija Ćosić (cosic-ilija) wrote :

@Jamie

It works.

The application raises a warning:

** (webbrowser-app:4229): WARNING **: Unable to register app: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: Invalid application ID

The syslog has the following denials:

/usr/share/nvidia-367/nvidia-application-profiles-367.57-rc
/org/gtk/vfs/mounttracker
and denials with custom theme (it's not happening with Ambiance) and all cursors

From /var/log/syslog:

Feb 22 18:57:33 Silver kernel: [64292.311025] audit: type=1400 audit(1487786253.024:119): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/usr/share/nvidia-367/nvidia-application-profiles-367.57-rc" pid=4085 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Feb 22 18:57:33 Silver dbus[2250]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=4085 label="webbrowser-app" peer_pid=2318 peer_label="unconfined"

Feb 22 18:57:32 Silver kernel: [64292.280109] audit: type=1400 audit(1487786252.992:118): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/silver/.themes/CTheme/gtk-2.0/gtkrc" pid=4085 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Feb 22 18:57:33 Silver kernel: [64292.448034] audit: type=1400 audit(1487786253.160:121): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/silver/.icons/Eclipse/cursors/ibeam" pid=4085 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Santosh (santoshbit2007) wrote :

summarising the apparmor fixes for issue.

Issue 1: WebBrowser-app crash on zesty/unity8/[intel, readon]
   Fix: Adding apparmor access to
         "/sys/devices/pci[0-9]*/**/config r,"

Issue 2: WebBrowser-app crash on xenail/unity7/nvidia
   Fix: Adding apparmor access to

  For the ibus denial you need:
   #include <abstractions/ibus>

  For nvidia, you need:
  #include <abstractions/nvidia>
  @{PROC}/driver/nvidia/params r,
  /dev/nvidia* rw,
  unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),

I plan to raise bug to add these in webbrowser-app profile,

Daniel van Vugt (vanvugt) wrote :

"/sys/devices/pci[0-9]*/**/config r,"
Doesn't that give the browser access to all PCI devices? :)

It's just a graphics device issue so the right device should be:
/dev/dri/*

In theory Unity8 should be automatically assigning these rights to all GUI apps automatically. Not sure if it does. Certainly Mir won't do this for you. You may even find yourself sometimes in a situation where graphics appears to work, but because of missing access to /dev/dri/* Mesa will fall back to software rendering of OpenGL apps (which works well enough many people never realise it has happened).

Santosh (santoshbit2007) wrote :

The issue is happening with egl context creation and I could see the bug(error logs) with
QOpenGLContext ctx;
ctx.create().

So I am also unsure if [1] practically works. Is there any way to validates that.

[1]
In theory Unity8 should be automatically assigning these rights to all GUI apps automatically.

kevin gunn (kgunn72) on 2017-03-02
Changed in unity8 (Ubuntu):
importance: Undecided → Critical
status: New → Confirmed
Olivier Tilloy (osomon) wrote :

There are several separate issues here, and it doesn’t help that they are being tracked in the same place.

IIUC, the issue with the webbrowser-app snap on unity8 needs to be addressed in unity8 by relaxing the confinement that will allow apps to create a QOpenGLContext ("/dev/dri/*"?). It’s unclear to me whether the changes need to happen in unity8 itself, or in the "mir"/"unity8" interface definitions in snapd.

Regarding the other issue, the apparmor profile for webbrowser-app needs to be updated to use the ibus and nvidia abstractions. The profile is generated from a manifest, see https://bazaar.launchpad.net/~phablet-team/webbrowser-app/trunk/view/head:/debian/webbrowser-app-apparmor.manifest. IIUC, this won’t be sufficient to fix the issue, as the nvidia abstraction also needs to be updated. /etc/apparmor.d/abstractions/nvidia belongs to the apparmor package.

Changed in apparmor (Ubuntu):
assignee: nobody → Santosh (santoshbit2007)
Changed in oxide:
status: Confirmed → Invalid
kevin gunn (kgunn72) wrote :

@osomon
actually - i am witnessing this & using this bug specifically for webbrowser as a deb based install on the rootfs failing on zesty unity8 on top of an Intel built in gpu.
I'll be happy to collect any logs.
Fwiw, i see the same AA denials (even tho it's not a snap)
Unsure if that effects your last past (#44)

Daniel van Vugt (vanvugt) wrote :

/dev/dri/* is a special case that the shell (or lightdm, whichever runs as root) needs to handle. Same goes for other desktop devices like audio, webcams etc.

This makes me think it has already been done by virtue of logging in by lightdm. So yeah, this would just be an over-confinement problem to be fixed per app. Although each app having to know the details of every device that every graphics driver might ever need doesn't seem like a great architectural choice...

Santosh (santoshbit2007) wrote :

@Daniel

/dev/dri/* is not the cause of any issue here, and I guess access is already provided.
AFAIR adding /dev/dri/* doesn't fix the issue on unity8.

The question is whether "/sys/devices/pci[0-9]*/**/config r," is being provided by unity8 to all apps or not, if not then adding that in each app will be only option

kevin gunn (kgunn72) on 2017-03-06
Changed in canonical-devices-system-image:
milestone: none → u8c-1
Jamie Strandboge (jdstrand) wrote :

Considering the current implemention constraints that applications have to access various device files for GL (eg, /dev/dri/card0) instead of having something trusted like mir do the direct access (see bug #1197133 for background), I don't think we can avoid this access:

  /sys/devices/pci[0-9]*/**/config r,

While https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt tells us it is rw, AppArmor can at least enforce readonly.

It is fine for webbrowser-app to /sys/devices/pci[0-9]*/**/config, but before we add it for all applications, can you give the complete denial messages? Perhaps there is something more fine-grained we can use....

Olivier Tilloy (osomon) wrote :

I just upgraded my laptop to zesty and tested webbrowser-app in the unity8 session.
Santosh’s comment (#47) is incorrect. The first denial that I’m getting is /dev/dri/, and I’ve had to add it to the webbrowser-app profile to proceed to get further denials for PCI devices config:

type=AVC msg=audit(1488885677.369:1080): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=8151 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After authorizing read access to /dev/dri/, I’m getting the following denials:

type=AVC msg=audit(1488885802.466:1091): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1092): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1093): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1488885802.466:1094): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=8237 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Which go away when allowing read access to the config files. And thus the application executes fine.

To summarize, here are the rules I’ve had to add to the webbrowser-app profile for the app to run under unity8:

  /dev/dri/ r,
  /sys/devices/pci[0-9]*/**/config r,

Olivier Tilloy (osomon) on 2017-03-07
Changed in webbrowser-app (Ubuntu):
assignee: Santosh (santoshbit2007) → Olivier Tilloy (osomon)
status: Confirmed → In Progress
Changed in apparmor (Ubuntu):
assignee: Santosh (santoshbit2007) → Olivier Tilloy (osomon)
status: New → In Progress
Changed in apparmor (Ubuntu):
importance: Undecided → Critical
Santosh (santoshbit2007) wrote :

@Olivier, yes I rechecked and found /dev/dri already added there, which I missed somehow.
So I confirm two apparmor access to be added.
/dev/dri/ r,
/sys/devices/pci[0-9]*/**/config r,

Changed in canonical-devices-system-image:
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.23+17.04.20170310-0ubuntu1

---------------
webbrowser-app (0.23+17.04.20170310-0ubuntu1) zesty; urgency=medium

  [ Alexandre Abreu ]
  * Explicitely define Ctrl+R as the refresh shortcut for the browser
    (LP: #1593877)

  [ Andrew Hayzen ]
  * Use the new TabsBar component from Ubuntu.Components.Extras

  [ Florian Boucault ]
  * Add Peekier to available search engines (LP: #1649673)
  * Bookmarks and history: increased font size one level
  * Make new tabs opened in the background to be placed next to the tab
    requesting them instead of at the end of the list of tabs (LP: #1499780)
  * Enable predictive text in address bar (LP: #1378750)
  * Fix issue with new tab page sometimes never being unloaded (LP: #1659435)
  * Snap: embed ubuntu-ui-extras by building it from source
  * Improved UX for <select> dropdowns in web content
  * Store and restore on startup the size of each window (LP: #1312892)
  * Do not go fullscreen if already fullscreen (LP: #1665727)
  * Do not rely on qmake as webbrowser is CMake based

  [ Jeremy Bicha ]
  * Drop "Open a " prefix from .desktop Actions (LP: #1668699)

  [ Matthieu James ]
  * Updated browser icon (LP: #1358050)

  [ Michael Terry ]
  * Properly set the APP_ID variable for the snappy world

  [ Olivier Tilloy ]
  * Use the no-system-libraries build attribute instead of specifying extra
    stage packages
  * Move snapcraft.yaml to snap directory (new in snapcraft 2.26)
  * Add a desktop UA override for dailymotion.com (LP: #1662826)
  * Log oxide and chromium versions at app startup
  * Add UA overrides for google photos (desktop and mobile) (LP: #1665926)
  * Explicitly plug to the "mir" interface (LP: #1662145)
  * Add "ibus" and "nvidia" apparmor abstractions to webbrowser-app apparmor
    profile
  * Additional holes in generated apparmor profile to allow webbrowser-app
    to run under unity8 in zesty (LP: #1590561)

 -- Olivier Tilloy <email address hidden> Fri, 10 Mar 2017 15:35:28 +0000

Changed in webbrowser-app (Ubuntu):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) wrote :
Changed in apparmor:
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
status: New → Fix Committed
Tyler Hicks (tyhicks) on 2017-03-16
Changed in apparmor:
milestone: none → 2.12
David Barth (dbarth) wrote :

Thanks Tyler!

On Thu, Mar 16, 2017 at 4:16 AM, Tyler Hicks <email address hidden> wrote:

> ** Changed in: apparmor
> Milestone: None => 2.12
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1590561
>
> Title:
> webbrowser-app crashes on startup on fresh zesty Unity8: No suitable
> EGL configs found
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1590561/+subscriptions
>

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.11.0-2ubuntu3

---------------
apparmor (2.11.0-2ubuntu3) zesty; urgency=medium

  * SECURITY UPDATE: Don't unload unknown profiles during package
    configuration or when restarting the apparmor init script, upstart job, or
    systemd unit as this could leave processes unconfined (LP: #1668892)
    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
      Remove calls to unload_obsolete_profiles()
    - debian/patches/utils-add-aa-remove-unknown.patch,
      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
      aa-remove-unknown, which can be used to unload unknown profiles. Based
      on an upstream patch but adjusted to source the /lib/apparmor/functions
      shipped in Debian/Ubuntu.
    - CVE-2017-6507
  * debian/patches/r3645-profiles-update-nvidia-abstraction.patch: Update
    nvidia abstraction for newer nvidia drivers (LP: #1590561)

 -- Tyler Hicks <email address hidden> Fri, 24 Mar 2017 05:26:28 +0000

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Changed in canonical-devices-system-image:
status: In Progress → Fix Released
Changed in unity8 (Ubuntu):
status: Confirmed → Invalid
Christian Boltz (cboltz) on 2018-04-22
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers