[Desktop-packages] [Bug 1859609] [NEW] [snap] lots of apparmor denials after snap update

Tue, 14 Jan 2020 03:16:35 -0800 

Public bug reported:

After the chromium snap auto updated:

$ snap changes chromium
ID   Status  Spawn                   Ready                   Summary
310  Done    yesterday at 14:34 CET  yesterday at 14:36 CET  Auto-refresh snap 
"chromium"

I get a lot of apparmor denial error messages on /var/log/kernel.log:

Jan 13 14:36:11 falcon kernel: [15453.080547] audit: type=1400 
audit(1578922571.568:111): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="snap.chromium.chromium" pid=22548 
comm="apparmor_parser"
Jan 13 14:36:24 falcon kernel: [15465.911905] audit: type=1400 
audit(1578922584.400:116): apparmor="DENIED" operation="mknod" 
profile="snap.chromium.chromium" 
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E52365548686F
 pid=8163 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 
ouid=1000
Jan 13 14:36:44 falcon kernel: [15485.517324] audit: type=1400 
audit(1578922604.009:117): apparmor="DENIED" operation="open" 
profile="snap.chromium.chromium" 
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F436F6F6B6965732D6A6F75726E616C
 pid=8163 comm="ThreadPoolForeg" requested_mask="wc" denied_mask="wc" 
fsuid=1000 ouid=1000

And the list goes on and on. Less than 24h later there is about 18801
apparmor denial error messages on the log.

This is probably obvious and expected, but just some additional info
about the running processes:

$ ps aux | grep  chromium | tail -n1
kleber   23283  0.0  0.6 1479568 104872 ?      Sl   10:10   0:06 
/snap/chromium/971/usr/lib/chromium-browser/chrome --type=renderer 
--disable-webrtc-apm-in-audio-service --force-color-profile=srgb 
--field-trial-handle=8276679174007623735,3874660843479004072,131072 
--lang=en-US --disable-oor-cors --enable-auto-reload --num-raster-threads=2 
--enable-main-frame-before-activation 
--service-request-channel-token=16818215954149295646 --renderer-client-id=443 
--no-v8-untrusted-code-mitigations 
--shared-files=v8_context_snapshot_data:100,v8_natives_data:101

Chromium is still running revision 971, but the 'current' version is set
to the newest version:

$ ls -la /snap/chromium/
total 8
drwxr-xr-x  4 root root 4096 Jan 13 14:36 .
drwxr-xr-x 20 root root 4096 Nov 20 14:01 ..
drwxr-xr-x 11 root root  257 Dec 11 00:29 971
drwxr-xr-x 11 root root  257 Jan  9 00:59 986
lrwxrwxrwx  1 root root    3 Jan 13 14:36 current -> 986


I have filtered my kernel.log with only the chromium related messages after the 
update and tried to get some more info about the denials:

$ grep -Po "comm=\".*?\"" /tmp/snap_log | sort | uniq
comm="Chrome_HistoryT"
comm="Chrome_SyncThre"
comm="ThreadPoolForeg"
comm="ThreadPoolSingl"
comm="apparmor_parser"

$ grep -Po "operation=\".*?\"" /tmp/snap_log | sort | uniq
operation="dbus_method_call"
operation="mkdir"
operation="mknod"
operation="open"
operation="profile_replace"
operation="rename_src"
operation="truncate"
operation="unlink"

The practical outcome of these errors is that some of the icons on the
bookmark bar gets replaced by a default icon and my browser history and
open tabs don't get updated, so the history is empty and when I exit the
browser it gets restored with the history and open tabs as they were
before the update.

System info:
$ snap version 
snap    2.42.5
snapd   2.42.5
series  16
ubuntu  19.10
kernel  5.4.0-8-generic

** Affects: chromium-browser (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: snap

** Tags added: snap

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1859609

Title:
  [snap] lots of apparmor denials after snap update

Status in chromium-browser package in Ubuntu:
  New

Bug description:
  After the chromium snap auto updated:

  $ snap changes chromium
  ID   Status  Spawn                   Ready                   Summary
  310  Done    yesterday at 14:34 CET  yesterday at 14:36 CET  Auto-refresh 
snap "chromium"

  I get a lot of apparmor denial error messages on /var/log/kernel.log:

  Jan 13 14:36:11 falcon kernel: [15453.080547] audit: type=1400 
audit(1578922571.568:111): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="snap.chromium.chromium" pid=22548 
comm="apparmor_parser"
  Jan 13 14:36:24 falcon kernel: [15465.911905] audit: type=1400 
audit(1578922584.400:116): apparmor="DENIED" operation="mknod" 
profile="snap.chromium.chromium" 
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E52365548686F
 pid=8163 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 
ouid=1000
  Jan 13 14:36:44 falcon kernel: [15485.517324] audit: type=1400 
audit(1578922604.009:117): apparmor="DENIED" operation="open" 
profile="snap.chromium.chromium" 
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F436F6F6B6965732D6A6F75726E616C
 pid=8163 comm="ThreadPoolForeg" requested_mask="wc" denied_mask="wc" 
fsuid=1000 ouid=1000

  And the list goes on and on. Less than 24h later there is about 18801
  apparmor denial error messages on the log.

  This is probably obvious and expected, but just some additional info
  about the running processes:

  $ ps aux | grep  chromium | tail -n1
  kleber   23283  0.0  0.6 1479568 104872 ?      Sl   10:10   0:06 
/snap/chromium/971/usr/lib/chromium-browser/chrome --type=renderer 
--disable-webrtc-apm-in-audio-service --force-color-profile=srgb 
--field-trial-handle=8276679174007623735,3874660843479004072,131072 
--lang=en-US --disable-oor-cors --enable-auto-reload --num-raster-threads=2 
--enable-main-frame-before-activation 
--service-request-channel-token=16818215954149295646 --renderer-client-id=443 
--no-v8-untrusted-code-mitigations 
--shared-files=v8_context_snapshot_data:100,v8_natives_data:101

  Chromium is still running revision 971, but the 'current' version is
  set to the newest version:

  $ ls -la /snap/chromium/
  total 8
  drwxr-xr-x  4 root root 4096 Jan 13 14:36 .
  drwxr-xr-x 20 root root 4096 Nov 20 14:01 ..
  drwxr-xr-x 11 root root  257 Dec 11 00:29 971
  drwxr-xr-x 11 root root  257 Jan  9 00:59 986
  lrwxrwxrwx  1 root root    3 Jan 13 14:36 current -> 986

  
  I have filtered my kernel.log with only the chromium related messages after 
the update and tried to get some more info about the denials:

  $ grep -Po "comm=\".*?\"" /tmp/snap_log | sort | uniq
  comm="Chrome_HistoryT"
  comm="Chrome_SyncThre"
  comm="ThreadPoolForeg"
  comm="ThreadPoolSingl"
  comm="apparmor_parser"

  $ grep -Po "operation=\".*?\"" /tmp/snap_log | sort | uniq
  operation="dbus_method_call"
  operation="mkdir"
  operation="mknod"
  operation="open"
  operation="profile_replace"
  operation="rename_src"
  operation="truncate"
  operation="unlink"

  The practical outcome of these errors is that some of the icons on the
  bookmark bar gets replaced by a default icon and my browser history
  and open tabs don't get updated, so the history is empty and when I
  exit the browser it gets restored with the history and open tabs as
  they were before the update.

  System info:
  $ snap version 
  snap    2.42.5
  snapd   2.42.5
  series  16
  ubuntu  19.10
  kernel  5.4.0-8-generic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1859609/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to