Hi all,
Some issues were found in the Wire snap which I’ve been investigating. One issue we’ve notivced is that using the camera interface and manually connecting it still results in this AppArmor denial.
Oct 6 15:33:05 skull kernel: [365699.920713] audit: type=1400 audit(1507300385.976:3654): apparmor="DENIED" operation="file_mmap" profile="snap.wire.wire" name="/dev/video0" pid=14696 comm="V4L2CaptureThre" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
Wire suffers from https://forum.snapcraft.io/t/snap-and-executable-stacks/1812:
$ snap-review ./wire_1.snap
Warnings
--------
- functional-snap-v2:execstack
Found files with executable stack. This adds PROT_EXEC to mmap(2) during mediation which may cause security denials. Either adjust your program to not require an executable stack, strip it with 'execstack --clear-execstack ...' or remove the affected file from your snap. Affected files: opt/wire-desktop/wire-desktop
https://forum.snapcraft.io/t/snap-and-executable-stacks/1812
./wire_1.snap: FAIL
If you clear the execstack bit, it should start working.
Hmm, I thought I’d used the review tool on Wire. I’ll clear the execstack and re-test. Thanks. @sergiusens We discussed snapcraft doing this by default at the rally, is that still on the roadmap?
I conform that the camera is working now that execstack is cleared. However, you can’t be heard when initiating a call and this AppArmor denial is logged:
Oct 9 11:36:54 skull kernel: [610725.227947] audit: type=1326 audit(1507545414.618:33407): auid=1000 uid=1000 gid=1000 ses=1 pid=3799 comm="Chrome_libJingl" exe="/snap/wire/x3/opt/wire-desktop/wire-desktop" sig=31 arch=c000003e syscall=41 compat=0 ip=0x7f25297a0567 code=0x0
I tried enabling the browser sandbox but that denial is logged regardless. And idea what it might be related too?
We have discovered that the opengl interface is also required by Wire and since enabling that the following denials are now logged:
Oct 9 11:57:23 skull kernel: [611954.501122] audit: type=1400 audit(1507546643.907:33522): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 9 11:57:23 skull kernel: [611954.501160] audit: type=1400 audit(1507546643.907:33523): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 9 11:57:23 skull kernel: [611954.501229] audit: type=1400 audit(1507546643.907:33524): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 9 11:57:23 skull kernel: [611954.501257] audit: type=1400 audit(1507546643.908:33525): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 9 11:57:23 skull kernel: [611954.501301] audit: type=1400 audit(1507546643.908:33526): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 9 11:57:23 skull kernel: [611954.501329] audit: type=1400 audit(1507546643.908:33527): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=28267 comm="wire-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Wire crashes on some devices when a call is disconnected. We will unpublish this snap as there are several blockers.
This is fixed in 2.28, which is now in stable. 2.28 has other fixes that may help. Can you try again and report back if there are any issues (and security denials)?
@jdstrand I confirm that the /sys/devices/pci0000:00/0000:00:02.0/revision are gone with snapd 2.28. Thanks.
We will unpublish this snap as there are maddenvip several blockers.