Auto connections for zoom-client

ogra · April 7, 2020, 7:48pm

Zoom is a proprietary Qt based video conferencing software.

The application hangs hard if the audio-record interface is not conected and a user enters a meeting … along with this, users do not easily grok that they have to connect the camera interface to actually use the camera.

At startup Zoom tries to query network manager via dbus to get info about the connection status.
For this the network-manager-observe interface needs to be connected (admittedly the application seems to function without it connected but spams the logs)

Zoom features a “Virtual background” which essentially allows you to put any picture as background into your video (kind of a green-screen technology). For finding out if the system is capable to render green-screen video at all, the app calls a builtin lscpu binary which in turn requires the hardware-observe interface to be connected.

The application also runs qtdiag to find out other system information which needs the system-observe interface connected, while it seems to have no negative effect on the application to have it disconnected, the journal gets massively spammed with denials on application startup.

So based on the above i’m requesting auto connection for:

camera
audio-record
network-manager-observe
hardware-observe
system-observe

With the first two being critical for the app to work and the latter three being a convenience for the user …

Note that the zoom-client snap seems to be very popular (12000 active installs since initial publication last week) so it would be nice to at least get the first two approved very soon.

alexmurray · April 8, 2020, 12:52pm

@ogra network-manager provides privileged access to configure networking etc - can zoom-client use network-manager-observe instead?

ogra · April 8, 2020, 1:24pm

i’l try, will report back before EOD

ogra · April 8, 2020, 3:09pm

Yes, network-manager-observe works fine, i changed the source to use it (building in edge right now)

alexmurray · April 9, 2020, 6:34am

+1 from me for all of camera audio-record network-manager-observe hardware-observe and system-observe for zoom-client - these all seem quite reasonable for this application’s use-cases.

ogra · April 14, 2020, 9:46am

Any other @reviewers ? (zoom is nearing 30000 active installs but gets a lot of bad reviews from people not connecting the interfaces)

roadmr · April 14, 2020, 12:53pm

+1 from me on camera audio-record network-manager-observe hardware-observe and system-observe. The first two are the most sensitive ones, if we’re granting those it’s sort of inconsistent to hold back on the others, and it does enhance the convenience.

I was on the fence given recent news coverage of Zoom and security/privacy but from a technical standpoint, the requested interfaces are clear and consistent with the application’s purpose and usage. It’s fair to assume anyone installing this is well aware of any implications which OTOH are not for us to police. So indeed +1

Daniel

jdstrand · April 15, 2020, 12:34pm

It is clear why camera and audio-record are needed. It is also clear that network-manager-observe is needed to detect online status. +1 to auto-connect these. I’ll just tally the votes now for these. 3 votes for, 0 against. Granting. This is now live.

You mentioned that hardware-observe and system-observe are ‘a convenience for the user’ but don’t mention what it is trying to access. I realize it is a proprietary app, but can you provide more detail? At least the sandbox denials? I’d like to better understand this before casting my vote.

Lastly for anyone who comes across this since I’ve seen it come up a couple of times as justification for voting: a snap probably shouldn’t yet be in the stable channel if its auto-connections for core functionality haven’t been voted on yet.

ogra · April 15, 2020, 1:14pm

with hardware-observe disconnected:

[78896.897249] audit: type=1400 audit(1586954703.385:1039): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/bus/pci/devices" pid=17315 comm="lscpu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

as i mentioned above this lscpu check is used to determine if the hardware is capable of redering a green-screen “virtual background” (it also pops up a warning on first start of the app that the HW capabilities can not be determined (but works nontheless and even provides the virtual bg))

with system-observe disconnected:

[79133.652994] audit: type=1400 audit(1586954940.141:1061): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/1/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653069] audit: type=1400 audit(1586954940.141:1062): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/2/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653071] audit: type=1400 audit(1586954940.141:1063): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/4/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653073] audit: type=1400 audit(1586954940.141:1064): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/6/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653075] audit: type=1400 audit(1586954940.141:1065): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/7/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653077] audit: type=1400 audit(1586954940.141:1066): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/8/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653102] audit: type=1400 audit(1586954940.141:1067): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/9/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653124] audit: type=1400 audit(1586954940.141:1068): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/10/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653141] audit: type=1400 audit(1586954940.141:1069): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/11/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[79133.653159] audit: type=1400 audit(1586954940.141:1070): apparmor="DENIED" operation="open" profile="snap.zoom-client.zoom-client" name="/proc/12/cmdline" pid=18107 comm="pidof" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

here it seems to iterate over the first 12 processes in the process list, i assume to simply get the invocation options for systemd (init) … i have not seen any issues when having system-observe disconnected apart from the log noise (but i like to have my snaps run as clean as possible so i thought i’d ask for autoconnect here too)

heh, being a burned child now i’ll surely take that into account in the future, I have been playing with the snap since pre-corona times already and it had at most 200 users during that time, giving feedback and helping testing (and being capable of understanding to manually connect interfaces), the massive spike in installations kind of hit me by surprise

jdstrand · April 15, 2020, 1:55pm

Thanks for the added info. +1 for hardware-observe. I’m abstaining for system-observe since it isn’t clear why the snap would need the access.

3 votes for auto-connecting hardware-observe, 0 against.
2 votes for auto-connecting system-observe, 0 against, 1 abstained.

Granting auto-connect to hardware-observe and system-observe. This is now live.