[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
This bug was fixed in the package apparmor - 2.13.3-7ubuntu4 --- apparmor (2.13.3-7ubuntu4) focal; urgency=medium * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it (LP: #1871148) * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets and DBus APIs. Patch partially based on work by Simon Deziel. (LP: #1796911, LP: #1869024) * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME (Closes: #930031) * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access to top-level ecryptfs directories (LP: #1848919) * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access to /run/uuidd/request * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the kernel supports the i915 perf interface. Patch from Debian -- Jamie Strandboge Mon, 06 Apr 2020 17:47:20 + ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Fix Released Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: Fix Released Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Fix Released Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: In Progress => Fix Released ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: In Progress Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: In Progress Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
https://github.com/snapcore/snapd/pull/7779 ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: snapd Importance: Undecided => Low ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: snapd Milestone: None => 2.42.3 ** Changed in: snapd (Ubuntu) Status: In Progress => Triaged ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd (Ubuntu) Status: Triaged => In Progress ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor Importance: Undecided => Low ** Changed in: apparmor Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: In Progress Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Thanks Jamie. I'll mark the bug invalid for chromium. Even though chromium is visibly affected, the root cause has been identified and is going to be fixed soon. ** Changed in: chromium-browser (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, I'll fix this in the next batch of policy updates for snapd. ** Changed in: snapd (Ubuntu) Importance: Undecided => Low ** Changed in: snapd (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Yes, it is mounted: ubuntu@bionicvm:~$ mount | grep Private /home/ubuntu/.Private on /home/ubuntu/Private type ecryptfs (rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=11d8701311f9dc77,ecryptfs_sig=4ca5cd476d88b7cd,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, that is a read on /home/ubuntu/.Private/. Is the encrypted home mounted at the time of the denial? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Indeed I can see the rules you mention in /etc/apparmor.d/abstractions/base, which is included by /var/lib/snapd/apparmor/profiles/snap.chromium.chromium. However I can reliably reproduce the issue, and I'm seeing the following denial: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/ubuntu/.Private/" pid=11167 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Encrypted home is typically setup as ~/.Private, not ~/Private and the policy already allows: owner @{HOME}/.Private/** mrixwlk, owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, The home interface should already allow ~/Private. What is the denial you see in the logs? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp