AMD OSS graphics drivers missing access to amdgpu.ids file

The OpenSource AMD Graphics drivers via libdrm look for a file called /usr/share/libdrm/amdgpu.ids which is provided by the deb package libdrm-common. By default this path is not readable by snaps and so we get messages about denied attempts to access it both in the application’s output and in the apparmor denials log locations. I’m unsure how important this file is, but it seems to be queried by, and denied for, most snaps that access the graphics subsystem via libdrm or maybe more specifically only via libGL.

1 Like

/usr/share/libdrm is not part of the snap’s runtime environment. The snap can choose to stage it and use a layout to access it. I’m surprised you are seeing apparmor denials since there is nothing to deny…

cc @zyga

It depends on the base, I think godot runtime puts stuff in /usr/share so that that file can be accessed.
Unfortunately there’s no easy way to redirect the driver to any other location and lack of access results in non-functioning GL stack.

Having said that, @jdstrand is right. @Daniel can you explain how you got the denial?

I can’t find where I saw the logs, although I can reproduce applications complaining about it with, e.g. gitter (an electron app), and openra (a mono game), both of which output on STDOUT that they can’t find the file.

Right, this is expected because /usr/share/libdrm from the host isn’t exposed to the runtime environment of the snap (which is different from a security policy violation).

1 Like

So we’re left with the question of “should it be added to snapland?”…

Is there any progress on this? :slight_smile:

I’m unable to start Chromium because of this :frowning:

can you be more specific, what do you see when you try to launch chromium and do you see any denials in the system journal ?

dan@dan-desktop:~$ chromium
Gtk-Message: 16:40:17.621: Failed to load module "canberra-gtk-module"
Gtk-Message: 16:40:17.628: Failed to load module "canberra-gtk-module"
Trace/breakpoint trap (core dumped)
dan@dan-desktop:~$ /usr/share/libdrm/amdgpu.ids: No such file or directory
[60559:60559:0100/] InitializeSandbox() called with multiple threads in process gpu-process.

It would appear I do see some app armour denials:

[49486.139309] audit: type=1400 audit(1595518953.891:234749): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/snap/core/9665/usr/share/locale/en_GB/LC_MESSAGES/" pid=60705 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

are you certain that the lack of that file is what is causing the core dump?

Also I would suggest if you have not done so already to file a bug at so @oSoMoN can triage and help, as I can’t immediately say that not having the AMD graphics library in the snap’s mount namespace is the cause of your problem.