AppArmor denial for /dev/nvidiactl


#1

I am running Ubuntu 18.04 daily with a snap of Cumulonimbus installed with has the opengl interface defined.

I have raised a bug on Launchpad for this issue:

I see the following AppArmor denial in syslog when starting the Cumulonimbus snap.

Dec 18 17:30:16 skull kernel: [11774.344461] audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

snap version outputs:

snap    2.29.4.2
snapd   2.29.4.2
series  16
ubuntu  18.04
kernel  4.13.0-17-generic

The snapcraft.yaml for Cumulonimbus is available here:


#2

Looks similar to:

What version of nvidia drivers do you use (nvidia libraries and kernel modules)?


#3

I have the following installed:

Package: nvidia-384
Version: 384.90-0ubuntu6

Looks like this issue was discussed here and fixed with this which is scheduled for snapd 2.30.


#4

No, this isn’t fixed in snapd. The denial is an ‘mmap’ denial:

audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

It seems the application has an executable stack. Please see Snap and executable stacks.


#5

It seems like electron builds occasionally have binaries with executable stacks, but not all of them. It would be great if snapcraft as a matter of course detected this, gave a warning (ideally pointing to the aforementioned forum topic) and then stripped it automatically. @sergiusens or @kyrofa - is this something you could add to your roadmap?


canvas.createContext("webgl") returns null in Electron
canvas.createContext("webgl") returns null in Electron
Fonts fail to load when `desktop` plug added
#6

It certainly is, a bug would help here. This seems like a task we can perform during prime as we now do with patchelf.


#7

@sergiusens - https://bugs.launchpad.net/snapcraft/+bug/1739066


#8

A workaround to Electron having executable stacks and electron-builder not clearing them is to run
watch -n 0.1 execstack -c ./dist/linux-unpacked/cumulonimbus
in the background. Add libgl1-mesa-glx to stagePackages, and Electron WebGL should work in your Cumulonimbus Snap on Nvidia cards. That’s what jdstrand and I came up with when I was packaging Polarr at least, and it worked there.


#9

The Cumulonimbus snap was updated some days ago to clear the execstack. I am running it on nvidia right now :slight_smile:


#10

I noticed that you included bluez in the list of plugs. When I don’t have bluez in the list of plugs, I get an AppArmor deny on bluez, but it doesn’t seem to negatively affect the application. I asked mborzecki about it and he said not to add bluez to the list of plugs.

Not a problem, I just thought I’d mention it since I was looking at Cumulonimbus to see if I missed anything in my Snap.