AppArmor denial for /dev/nvidiactl

I am running Ubuntu 18.04 daily with a snap of Cumulonimbus installed with has the opengl interface defined.

I have raised a bug on Launchpad for this issue:

I see the following AppArmor denial in syslog when starting the Cumulonimbus snap.

Dec 18 17:30:16 skull kernel: [11774.344461] audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

snap version outputs:

snap    2.29.4.2
snapd   2.29.4.2
series  16
ubuntu  18.04
kernel  4.13.0-17-generic

The snapcraft.yaml for Cumulonimbus is available here:

Looks similar to:

What version of nvidia drivers do you use (nvidia libraries and kernel modules)?

I have the following installed:

Package: nvidia-384
Version: 384.90-0ubuntu6

Looks like this issue was discussed here and fixed with this which is scheduled for snapd 2.30.

No, this isn’t fixed in snapd. The denial is an ‘mmap’ denial:

audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

It seems the application has an executable stack. Please see Snap and executable stacks.

It seems like electron builds occasionally have binaries with executable stacks, but not all of them. It would be great if snapcraft as a matter of course detected this, gave a warning (ideally pointing to the aforementioned forum topic) and then stripped it automatically. @sergiusens or @kyrofa - is this something you could add to your roadmap?

1 Like

It certainly is, a bug would help here. This seems like a task we can perform during prime as we now do with patchelf.

@sergiusens - https://bugs.launchpad.net/snapcraft/+bug/1739066

1 Like

A workaround to Electron having executable stacks and electron-builder not clearing them is to run
watch -n 0.1 execstack -c ./dist/linux-unpacked/cumulonimbus
in the background. Add libgl1-mesa-glx to stagePackages, and Electron WebGL should work in your Cumulonimbus Snap on Nvidia cards. That’s what jdstrand and I came up with when I was packaging Polarr at least, and it worked there.

The Cumulonimbus snap was updated some days ago to clear the execstack. I am running it on nvidia right now :slight_smile:

I noticed that you included bluez in the list of plugs. When I don’t have bluez in the list of plugs, I get an AppArmor deny on bluez, but it doesn’t seem to negatively affect the application. I asked mborzecki about it and he said not to add bluez to the list of plugs.

Not a problem, I just thought I’d mention it since I was looking at Cumulonimbus to see if I missed anything in my Snap.