Call for testing: chromium snap


#1

A first version of the chromium snap was published yesterday in the snap store (candidate and beta channels).

The version in the candidate channel is 60.0.3112.101, which corresponds to the latest stable upstream release:

snap install --candidate chromium

The version in the beta channel is 61.0.3163.39, which corresponds to the latest beta upstream release:

snap install --beta chromium

Note that the snap can coexist with the official ubuntu packages. If you want to remove those packages and use exclusively the snap, do the following:

sudo apt remove chromium-browser
sudo apt autoremove

Also note that the snap is currently published under my personal account, but we will soon transition to a shared account for the Ubuntu desktop team, meaning that the snap will receive official support.

Please test and report any issues you find with the snap. To report a bug, please use the tag “snap” and paste the output of the following commands:

lsb_release -a
snap info --verbose chromium core

Thanks in advance for all the feedback!


#2

Heyup lad. So on Solus it locks up (very likely a Solus integration issue):

Aug 16 14:54:56 ironhide chromium-browse[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/proc/vmstat" pid=13362 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:56 ironhide kernel: audit: type=1400 audit(1502891696.983:2901): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/proc/vmstat" pid=13362 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:5" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:3" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:1" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:6" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:4" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:2" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:0" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c202:7" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 14:54:58 ironhide TaskSchedulerFo[13362]: <audit-1400> apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c252:0" pid=13362 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Anywho the denials are happening in/around udev, and my Chromium window is just black. I’ll check if the Solus patches for apparmor accommodate /run/udev but I’m sure thats the default …


#3

FYI, the udev denials here are almost always non-fatal. The vmstat one is interesting. Can you add this to /var/lib/snapd/apparmor/profiles/snap.chromium.chromium:

@{PROC}/vmstat r,

Then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium.

If it still doesn’t work, you can add this apparmor rule to confirm the udev denials aren’t causing an issue:

/run/udev/** r,

#4

Thx for the package. I encountered CJK font not displaying properly.


#5
ug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.799:3993): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=2  capname="dac_read_search"
Aug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.799:3993): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=1  capname="dac_override"
Aug 16 15:23:10 ironhide kernel: audit: type=1300 audit(1502893390.799:3993): arch=c000003e syscall=2 success=no exit=-13 a0=7ffed0024d00 a1=80000 a2=7f05e6a50168 a3=7f05e6a50480 items=0 ppid=19366 pid=19368 auid=4294967295 uid=0 gid=0 eui
Aug 16 15:23:10 ironhide kernel: audit: type=1327 audit(1502893390.799:3993): proctitle=2F62696E2F62617368002F736E61702F6368726F6D69756D2F312F62696E2F6465736B746F702D6C61756E6368006368726F6D69756D2D62726F777365722E6C61756E63686572
Aug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.799:3994): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=2  capname="dac_read_search"
Aug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.799:3994): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=1  capname="dac_override"
Aug 16 15:23:10 ironhide kernel: audit: type=1300 audit(1502893390.799:3994): arch=c000003e syscall=4 success=no exit=-13 a0=7ffed0024d00 a1=7ffed0024de0 a2=7ffed0024de0 a3=7f05e6a50480 items=0 ppid=19366 pid=19368 auid=4294967295 uid=0 gi
Aug 16 15:23:10 ironhide kernel: audit: type=1327 audit(1502893390.799:3994): proctitle=2F62696E2F62617368002F736E61702F6368726F6D69756D2F312F62696E2F6465736B746F702D6C61756E6368006368726F6D69756D2D62726F777365722E6C61756E63686572
Aug 16 15:23:10 ironhide desktop-launch[19368]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=2  capname="dac_read_search"
Aug 16 15:23:10 ironhide desktop-launch[19368]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=1  capname="dac_override"
Aug 16 15:23:10 ironhide unknown: <audit-1327> proctitle=2F62696E2F62617368002F736E61702F6368726F6D69756D2F312F62696E2F6465736B746F702D6C61756E6368006368726F6D69756D2D62726F777365722E6C61756E63686572
Aug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.801:3995): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=2  capname="dac_read_search"
Aug 16 15:23:10 ironhide kernel: audit: type=1400 audit(1502893390.801:3995): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="desktop-launch" capability=1  capname="dac_override"
Aug 16 15:23:10 ironhide mkdir[19379]: <audit-1400> apparmor="DENIED" operation="mkdir" profile="snap.chromium.chromium" name="/run/user/0/" pid=19379 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Aug 16 15:23:10 ironhide mkdir[19379]: <audit-1300> arch=c000003e syscall=83 success=no exit=-13 a0=7fff6cceb077 a1=1ff a2=7fff6cce9040 a3=376 items=0 ppid=19368 pid=19379 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsg
Aug 16 15:23:10 ironhide unknown: <audit-1327> proctitle=6D6B646972002D70002F72756E2F757365722F3000736E61702E6368726F6D69756D002D6D00373030
Aug 16 15:23:10 ironhide rm[19380]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19380 comm="rm" capability=2  capname="dac_read_search"
Aug 16 15:23:10 ironhide rm[19380]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19380 comm="rm" capability=1  capname="dac_override"
Aug 16 15:23:10 ironhide rm[19380]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1c23df70 a1=80000 a2=7fa9435a1168 a3=7fa9435a1480 items=0 ppid=19368 pid=19380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgi
Aug 16 15:23:10 ironhide unknown: <audit-1327> proctitle=726D002D7266002F726F6F742F736E61702F6368726F6D69756D2F312F2E6C6F63616C2F73686172652F666F6E74636F6E666967002F726F6F742F736E61702F6368726F6D69756D2F312F2E6C6F63616C2F73686172652F666F6E
Aug 16 15:23:17 ironhide gio-querymodule[19390]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19390 comm="gio-querymodule" capability=2  capname="dac_read_search"
Aug 16 15:23:17 ironhide gio-querymodule[19390]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19390 comm="gio-querymodule" capability=1  capname="dac_override"
Aug 16 15:23:17 ironhide gio-querymodule[19390]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7fff4cc3b7e0 a1=80000 a2=7fa371333168 a3=7fa371333480 items=0 ppid=19368 pid=19390 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid
Aug 16 15:23:17 ironhide kernel: kauditd_printk_skb: 9 callbacks suppressed
Aug 16 15:23:17 ironhide kernel: audit: type=1400 audit(1502893397.659:3998): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19390 comm="gio-querymodule" capability=2  capname="dac_read_search"
Aug 16 15:23:17 ironhide kernel: audit: type=1400 audit(1502893397.659:3998): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19390 comm="gio-querymodule" capability=1  capname="dac_override"
Aug 16 15:23:17 ironhide kernel: audit: type=1300 audit(1502893397.659:3998): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4cc3b7e0 a1=80000 a2=7fa371333168 a3=7fa371333480 items=0 ppid=19368 pid=19390 auid=4294967295 uid=0 gid=0 eui
Aug 16 15:23:17 ironhide kernel: audit: type=1327 audit(1502893397.659:3998): proctitle=2F736E61702F6368726F6D69756D2F312F7573722F6C69622F7838365F36342D6C696E75782D676E752F676C69622D322E302F67696F2D71756572796D6F64756C6573002F726F6F742F736
Aug 16 15:23:17 ironhide mkdir[19436]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19436 comm="mkdir" capability=2  capname="dac_read_search"
Aug 16 15:23:17 ironhide mkdir[19436]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19436 comm="mkdir" capability=1  capname="dac_override"
Aug 16 15:23:17 ironhide mkdir[19436]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7fffb2d1f490 a1=80000 a2=7f137b758168 a3=7f137b758480 items=0 ppid=19368 pid=19436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
Aug 16 15:23:17 ironhide kernel: audit: type=1400 audit(1502893397.898:3999): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19436 comm="mkdir" capability=2  capname="dac_read_search"
Aug 16 15:23:17 ironhide kernel: audit: type=1400 audit(1502893397.898:3999): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19436 comm="mkdir" capability=1  capname="dac_override"
Aug 16 15:23:17 ironhide kernel: audit: type=1300 audit(1502893397.898:3999): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb2d1f490 a1=80000 a2=7f137b758168 a3=7f137b758480 items=0 ppid=19368 pid=19436 auid=4294967295 uid=0 gid=0 eui
Aug 16 15:23:17 ironhide kernel: audit: type=1327 audit(1502893397.898:3999): proctitle=6D6B646972002D70002F726F6F742F736E61702F6368726F6D69756D2F312F2E6C6F63616C2F73686172652F69636F6E732F64656661756C74
Aug 16 15:23:18 ironhide chromium-browse[19368]: <audit-1400> apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="chromium-browse" capability=23  capname="sys_nice"
Aug 16 15:23:18 ironhide chromium-browse[19368]: <audit-1300> arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=0 a2=fffffff8 a3=60b3c0c180 items=0 ppid=19366 pid=19368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fs
Aug 16 15:23:18 ironhide unknown: <audit-1327> proctitle=2F62696E2F62617368002F736E61702F6368726F6D69756D2F312F62696E2F6465736B746F702D6C61756E6368006368726F6D69756D2D62726F777365722E6C61756E63686572
Aug 16 15:23:18 ironhide kernel: audit: type=1400 audit(1502893398.267:4000): apparmor="DENIED" operation="capable" profile="snap.chromium.chromium" pid=19368 comm="chromium-browse" capability=23  capname="sys_nice"
Aug 16 15:23:18 ironhide kernel: audit: type=1300 audit(1502893398.267:4000): arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=0 a2=fffffff8 a3=60b3c0c180 items=0 ppid=19366 pid=19368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
Aug 16 15:23:18 ironhide sudo[19365]: pam_unix(sudo:session): session closed for user root
Aug 16 15:23:34 ironhide chrome[13288]: <audit-1326> auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=13288 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff485ff5777 code=0x50000
Aug 16 15:23:34 ironhide kernel: kauditd_printk_skb: 1 callbacks suppressed
Aug 16 15:23:34 ironhide kernel: audit: type=1326 audit(1502893414.012:4001): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=13288 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff485ff57
Aug 16 15:23:34 ironhide kernel: audit: type=1326 audit(1502893414.402:4002): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=13045 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff485ff57
Aug 16 15:23:34 ironhide chrome[13045]: <audit-1326> auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=13045 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7ff485ff5777 code=0x50000

#6

Snap shpuld allowed to use system fonts.


#7

Thanks for the package! On Arch Linux here. Running snap run chromium I get:

[18856:18856:0816/124016.136482:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /var/lib/snapd/snap/chromium/5/usr/lib/chromium-browser/chrome-sandbox is owned by root and has mode 4755.
#0 0x7f4a673433f7 base::debug::StackTrace::StackTrace()
#1 0x7f4a673647ad logging::LogMessage::~LogMessage()
#2 0x7f4a4ac65322 sandbox::SetuidSandboxHost::PrependWrapper()
#3 0x7f4a618dcd58 content::ZygoteHostImpl::LaunchZygote()
#4 0x7f4a618dbc1f content::ZygoteCommunication::Init()
#5 0x7f4a618dc19d content::CreateGenericZygote()
#6 0x7f4a6151acc7 content::BrowserMainLoop::EarlyInitialization()
#7 0x7f4a615211b5 <unknown>
#8 0x7f4a6151a3f2 content::BrowserMain()
#9 0x7f4a61c67c8f <unknown>
#10 0x7f4a678a019d service_manager::Main()
#11 0x7f4a61c66a62 content::ContentMain()
#12 0x00c678da6bac <unknown>
#13 0x7f4a4dbd4830 __libc_start_main
#14 0x00c678da6a09 <unknown>

Received signal 6
#0 0x7f4a673433f7 base::debug::StackTrace::StackTrace()
#1 0x7f4a67342f6f <unknown>
#2 0x7f4a67ae6390 <unknown>
#3 0x7f4a4dbe9428 gsignal
#4 0x7f4a4dbeb02a abort
#5 0x7f4a67341622 base::debug::BreakDebugger()
#6 0x7f4a67364b28 logging::LogMessage::~LogMessage()
#7 0x7f4a4ac65322 sandbox::SetuidSandboxHost::PrependWrapper()
#8 0x7f4a618dcd58 content::ZygoteHostImpl::LaunchZygote()
#9 0x7f4a618dbc1f content::ZygoteCommunication::Init()
#10 0x7f4a618dc19d content::CreateGenericZygote()
#11 0x7f4a6151acc7 content::BrowserMainLoop::EarlyInitialization()
#12 0x7f4a615211b5 <unknown>
#13 0x7f4a6151a3f2 content::BrowserMain()
#14 0x7f4a61c67c8f <unknown>
#15 0x7f4a678a019d service_manager::Main()
#16 0x7f4a61c66a62 content::ContentMain()
#17 0x00c678da6bac <unknown>
#18 0x7f4a4dbd4830 __libc_start_main
#19 0x00c678da6a09 <unknown>
  r8: 00007ffc02780970  r9: 00007f4a67de7a80 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007f4a4e6071c0 r13: 00007ffc02780e70 r14: 0000000000000148 r15: 00007ffc02780e68
  di: 00000000000049a8  si: 00000000000049a8  bp: 00007ffc02781328  bx: 00007ffc02780970
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007f4a4dbe9428  sp: 00007ffc027807e8
  ip: 00007f4a4dbe9428 efl: 0000000000000202 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

I tried to change the permissions of chrome-sandbox from

-r-xr-xr-x 1 root root    14112 Aug 15 10:16 chrome-sandbox

but the file system is read-only.

snap info:

snap    unknown
snapd   unknown
series  16
arch    unknown
kernel  4.12.3-1-ARCH

Pacman reports snapd is version 2.26.1-1.


#8

Hey, thanks for the package!
I’m on Ubuntu GNOME 17.04 and unfortunately it looks like I ran into a problem similar to Ikey’s:

Aug 16 18:55:46 ub01 kernel: [ 1435.576734] audit: type=1400 audit(1502902546.066:105): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/proc/vmstat" pid=8461 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 16 18:55:47 ub01 kernel: [ 1436.622543] audit: type=1326 audit(1502902547.110:107): auid=1000 uid=1000 gid=1000 ses=4 pid=8519 comm="SGI_video_sync" exe="/snap/chromium/5/usr/lib/chromium-browser/chromium-browser" sig=31 arch=c000003e syscall=133 compat=0 ip=0x7f5621e31cad code=0x0

The Chromium window that shows up is just black.


#9

The vmstat is being discussed above. The syscall denial is mknod-- this should be fixed in snapd 2.27.


#10

How are you starting chromium? This seems to indicate it is being started as root…


#11

FYI, does not start here on Ubuntu 17.10, gnome-shell, wayland, amd64. No security denials.

$ /snap/bin/chromium 
[1]
$ snap --version
snap    2.26.14
snapd   2.26.14
series  16
ubuntu  17.10
kernel  4.11.0-11-generic

#12

Oh, I bet you need to build with a newer desktop part to get the recent changes that were committed for wayland, then ‘plugs: [wayland]’ (new in 2.28).


#13

Actually, now that I say that, it should’ve used Xwayland, so, my original comment stands.


#14

It won’t go any which way its started (preferring snap run chromium). snapd 2.27 if it makes any difference.


#15

@ikey - If, as a normal user, after adding the vmstat and udev rules, you run /snap/bin/chromium, do you see any other apparmor denials?


#16

@osomon - if you are wanting to use the setuid sandbox, note that snapcraft (correctly) strips the setuid bits. What you need to do is:

  1. use snapcraft build the snap
  2. unsquash the snap
  3. chown root:root …/chrome-sandbox
  4. chmod 4755 …/chrome-sandbox
  5. snapcraft snap ./squashfs-root

At this point, you’ve corrected the contents of the snap and can upload to the store. This will trigger a manual review.

If you want the setuid sandbox, let me know and I can update the review tools.

Note: it is expected that official Chrome and Chromium snaps would use ‘allow-sandbox: true’ in browser-support and use the setuid sandbox, so we have a mechanism in the review tools for allowing this.
Note 2: chromium content api snaps like electron do not need to do this because they use ‘allow-sandbox: false’ for browser-support and disable the sandbox on invocation. This explains why we’ve not seen this issue until now (this snap is the first official Chromium/Chrome snap).


#17

The sandbox issue is on archlinux, does the browser-support interface even fully work there ?
Also, the snap version output looks pretty broken, not sure if that isn’t actually a more systemic issue there.


#18

No more denials - still got blackscreen though and its hard locked


#19

Very much thank you for supporting 32bit! I expect it to say me ‘not found’ error, as 64bit apps do in snap install tool on 32bit distribution.

UPD: Working very well, no font glitches or something else for me.


#20

TBH, I was surprised that the sandbox was not setuid based on my work with chrome and chromium test snaps. That fact that Arch needs it and others don’t may indicate it is needed everywhere or that it needs a fix to work on Arch (this is why I asked if @oSoMoN intended to have it on or not).