I’m running the Spotify snap (version 1.1.46.916.g416cacf1, snapd 2.48+20.04 on Ubuntu 20.04), and noticed repeated apparmor audit messages for stuff that was denied. I understand that snapd generates this policy based on the snap metadata, so I’m wondering where these should be fixed (by silently denying them, or allowing them)? Iow, should I report a bug with Spotify and if so, what should I tell them?
The errors are:
[960286.727553] audit: type=1400 audit(1607100224.709:35211):
apparmor="DENIED" operation="open"
profile="snap.spotify.spotify"
name="/home/matthijs/.config/xdg-templates/" pid=3220240
comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[960291.908537] audit: type=1400 audit(1607100229.889:35212):
apparmor="DENIED" operation="open"
profile="snap.spotify.spotify"
name="/home/matthijs/.local/share/glib-2.0/schemas/gschemas.compiled"
pid=3220144 comm="spotify" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[960293.920460] audit: type=1107 audit(1607100231.901:35213): pid=1513
uid=105 auid=4294967295 ses=4294967295
msg='apparmor="DENIED" operation="dbus_method_call"
bus="system" path="/org/freedesktop/NetworkManager"
interface="org.freedesktop.NetworkManager"
member="state" mask="send" name=":1.6549" pid=3220144
label="snap.spotify.spotify" peer_pid=1173777
peer_label="unconfined" exe="/usr/bin/dbus-daemon"
sauid=105 hostname=? addr=? terminal=?'
[961133.425258] audit: type=1107 audit(1607101071.403:35231): pid=1513
uid=105 auid=4294967295 ses=4294967295
msg='apparmor="DENIED" operation="dbus_signal"
bus="system" path="/org/freedesktop/NetworkManager"
interface="org.freedesktop.NetworkManager"
member="CheckPermissions" name=":1.6549" mask="receive"
pid=3220144 label="snap.spotify.spotify"
peer_pid=1173777 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=?
terminal=?'
The error for /home/matthijs/.config/xdg-templates/
sounds like it would be fixed by including abstractions/xdg-desktop
, which I thought contains a blanket allow for ~/.config
and ~/.local
, so would fix the /home/matthijs/.local/share/glib-2.0/schemas/gschemas.compiled
error as well. But it doesn’t work here, so maybe the allow in that file is just for listing those directories, rather than accessing things under them, and explicit rules should be added? These error messages only happen once when starting spotify, so they’re not too annoying (and Spotify probably doesn’t really need either of these files, so no harm done).
Note that I think both of these files are not common, I suspect most people will not have either of them, so most people probably wont’ see these.
As for the NetworkManager
dbus calls, it seems Spotify calls to dbus to get network information, which is not allowed. Is that something that must be explicitly enabled in the snap? Or should this be added to the default profile in snapd maybe? These seem to happen more often (seems they happen when devices are added or remove, i.e. USB devices), so are annoying in the log and having access to the network state might be actually useful to Spotify as well.
I’ve now fixed this locally by adding these rules to ``, but that will of course be overwritten on an update, so I’d rather get this fixed properly.
dbus (send,receive)
bus=system
path="/org/freedesktop/NetworkManager"
interface="org.freedesktop.NetworkManager"
member="{CheckPermissions,state}",
owner @{HOME}/.config/xdg-templates/ r,
owner @{HOME}/.local/share/glib-2.0/schemas/gschemas.compiled r,