AppArmor denial for /dev/nvidiactl

Wimpress · December 18, 2017, 5:53pm

I am running Ubuntu 18.04 daily with a snap of Cumulonimbus installed with has the opengl interface defined.

I have raised a bug on Launchpad for this issue:

https://bugs.launchpad.net/snapd/+bug/1738846

I see the following AppArmor denial in syslog when starting the Cumulonimbus snap.

Dec 18 17:30:16 skull kernel: [11774.344461] audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

snap version outputs:

snap    2.29.4.2
snapd   2.29.4.2
series  16
ubuntu  18.04
kernel  4.13.0-17-generic

The snapcraft.yaml for Cumulonimbus is available here:

https://github.com/snapcrafters/cumulonimbus/blob/master/snap/snapcraft.yaml

mborzecki · December 18, 2017, 6:11pm

Looks similar to:

What version of nvidia drivers do you use (nvidia libraries and kernel modules)?

Wimpress · December 18, 2017, 6:15pm

I have the following installed:

Package: nvidia-384
Version: 384.90-0ubuntu6

Looks like this issue was discussed here and fixed with this which is scheduled for snapd 2.30.

jdstrand · December 18, 2017, 10:35pm

No, this isn’t fixed in snapd. The denial is an ‘mmap’ denial:

audit: type=1400 audit(1513618216.704:914): apparmor="DENIED" operation="file_mmap" profile="snap.cumulonimbus.cumulonimbus" name="/dev/nvidiactl" pid=23037 comm="cumulonimbus" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

It seems the application has an executable stack. Please see Snap and executable stacks.

jdstrand · December 18, 2017, 10:39pm

It seems like electron builds occasionally have binaries with executable stacks, but not all of them. It would be great if snapcraft as a matter of course detected this, gave a warning (ideally pointing to the aforementioned forum topic) and then stripped it automatically. @sergiusens or @kyrofa - is this something you could add to your roadmap?

sergiusens · December 19, 2017, 12:37pm

It certainly is, a bug would help here. This seems like a task we can perform during prime as we now do with patchelf.

jdstrand · December 19, 2017, 3:03pm

@sergiusens - https://bugs.launchpad.net/snapcraft/+bug/1739066

dmiller309 · December 22, 2017, 2:47am

A workaround to Electron having executable stacks and electron-builder not clearing them is to run
watch -n 0.1 execstack -c ./dist/linux-unpacked/cumulonimbus
in the background. Add libgl1-mesa-glx to stagePackages, and Electron WebGL should work in your Cumulonimbus Snap on Nvidia cards. That’s what jdstrand and I came up with when I was packaging Polarr at least, and it worked there.

Wimpress · December 22, 2017, 11:50am

The Cumulonimbus snap was updated some days ago to clear the execstack. I am running it on nvidia right now

dmiller309 · December 25, 2017, 7:07am

I noticed that you included bluez in the list of plugs. When I don’t have bluez in the list of plugs, I get an AppArmor deny on bluez, but it doesn’t seem to negatively affect the application. I asked mborzecki about it and he said not to add bluez to the list of plugs.

Not a problem, I just thought I’d mention it since I was looking at Cumulonimbus to see if I missed anything in my Snap.