Classic confinement for dbeaver-ce

skydiveroid · December 23, 2021, 9:33am

Hi @emitorino. If you have any questions or need additional information, do not hesitate to write.

skydiveroid · January 10, 2022, 9:54am

Hi @emitorino. Merry Christmas and Happy new year! Any news about Classic confinement for dbeaver-ce?

emitorino · January 13, 2022, 6:47pm

Hey @skydiveroid, Happy new year! Apologize for the delay.

Sorry but it is yet not clear to me the technical reasons under which dbeaver-ce needs classic confinement. I understand that the use of classic on dbeaverapp suited your goals but it could be related to the broad accesses classic provides (basically runs without restrictions). I see dbeaverapp was granted classic since it fitted into the IDE supported category (as it was described as an IDE) but it is not the same case for dbeaver-ce.

Can you please share the denials you see while running dbeaver-ce under strict confinement?

Thanks!

riednyko · January 17, 2022, 12:24pm

Hello! @emitorino

We changed the snapcraft.yaml config for dbeaver-ce snap package. Now it is the same as for dbeaverapp. We really need a classic confinement to access various directories from the snap package, as well as to work with third-party applications, for example, an office or access to a web browser, to open maps

skydiveroid · January 25, 2022, 8:55pm

Hi @emitorino, Have we provided all the required information? thx

emitorino · February 2, 2022, 2:00pm

Hey @skydiveroid! Apologize this request is taking so long, but on the other side we are not getting the enough details required to grant classic confinement. Let me remind you again that a classic snap runs without restrictions so granting this is a very sensitive operation. The fact that this was granted in the past for a related snap does not mean will be granted again to other similar/related snap.

Can you please list those directories? There are various interfaces that can provide you accesses to specific locations such as home, personal-files, system-files and removable-media.

Regarding opening up app applications, I shared a suggestion earlier. Could you try it?

In any case, please share here the denials and issues you are experiencing with those accesses and we will be happy to help you work through them. If you are not familiar with it, snappy-debug will definitely help you find missing interfaces.

Thanks!

alexmurray · February 10, 2022, 2:09am

Can you please provide the information requested by @emitorino above so we can try and progress this request? Thanks.

emitorino · February 18, 2022, 9:25pm

@skydiveroid ping, can you please provide the requested information?

emitorino · March 3, 2022, 3:46pm

@skydiveroid, @riednyko, @mayer: since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks

riednyko · April 5, 2022, 9:52am

@emitorino Thanks for the clarification.

We have fixed almost all the problems with access restrictions in dbeaver-ce snap package, but one main problem remains.

Problem with snap and Eclipse SWT Webkit.

When running the dbeaver-ce package, there is an error in the log:

SWT SessionManagerDBus: Failed to RegisterClient: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.517" (uid=1000 pid=195667 comm="/snap/dbeaver-ce/175/usr/share/dbeaver-ce/jre/bin/" label="snap.dbeaver-ce.dbeaver-ce (enforce)") interface="org.gnome.SessionManager" member="RegisterClient" error name="(unset)" requested_reply="0" destination=":1.35" (uid=1000 pid=3416 comm="/usr/libexec/gnome-session-binary --systemd-servic" label="unconfined")

When try to use a web browser (gis maps in the database or just open the web browser settings), the application instantly crashes with an error:

SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0

(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C  [libswt-gtk-4948r9.so+0x3ed16]  Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)

The problem is very similar to this: Request for classic confinement: wireframesketcher

This problem was fixed only with classic confinement in dbeaverapp snap package. If there is a way to fix this in strict confinement, please help

dbeaver · May 18, 2022, 7:50am

Hello! Just want to raise the topic

alexmurray · May 19, 2022, 11:54pm

So I think there is 2 issues here:

The snap is not allowed to call the RegisterSession method on org.gnome.SessionManager via DBus - I suspect this is not a critical error and is not what is actually causing it to fail to launch
The snap is not allowed to bind to it’s own DBus name: error creating DBus server Error binding to address - this I think is the real issue but your logs are not showing what name the snap is trying to use

For this second issue, can you please have a look at dmesg output and see if there is any AppArmor DENIAL messages related to this as they should show what name the snap is trying to bind to. Then you can add a dbus slot to your snap yaml to declare access to this name and it should then work - see https://snapcraft.io/docs/dbus-interface for more details, in particular the “Providing snap (slot)” section.

riednyko · May 20, 2022, 8:01am

Thanks for the answer! We will try it

riednyko · May 20, 2022, 10:08am

Can you please review dbeaver-ce snap with added dbus slot?

The Store automatic review failed. A human will soon review your snap, but if you can’t wait please write in the snapcraft forum asking for the manual review explicitly. If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels. Please check the errors and some hints below:

human review required due to ‘deny-connection’ constraint (interface attributes)

emitorino · May 20, 2022, 8:29pm

@riednyko,

I have granted the dbus well-known name to the latest dbeaver-ce snap revisions and I can see them successfully published. Could you please check and let us know?

Thanks!

riednyko · May 25, 2022, 11:00am

Unfortunately, the problem was not solved with the connected dbus slot. If everything was done correctly.

AppArmor DENIAL messages:

 [42704.467274] audit: type=1400 audit(1653476133.389:3260): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.507530] audit: type=1400 audit(1653476133.429:3261): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/devices/virtual/dmi/id/chassis_type" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.507546] audit: type=1400 audit(1653476133.429:3262): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/firmware/acpi/pm_profile" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.573491] audit: type=1400 audit(1653476133.497:3263): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.624713] audit: type=1107 audit(1653476133.549:3264): pid=1066 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.11" pid=144302 label="snap.dbeaver-ce.dbeaver-ce" peer_pid=1068 peer_label="unconfined"
                    exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
    [42704.628545] audit: type=1400 audit(1653476133.553:3265): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/core_pattern" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.628853] audit: type=1400 audit(1653476133.553:3266): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.669600] audit: type=1400 audit(1653476133.593:3267): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433220436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.750131] audit: type=1400 audit(1653476133.673:3268): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/threads-max" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [42704.750134] audit: type=1400 audit(1653476133.673:3269): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/vm/max_map_count" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

riednyko · May 31, 2022, 2:53pm

@alexmurray , It turned out to resolve all apparmor=denied manually by editing the profile. Apparmor message that was left when the application crashed:

apparmor="DENIED" operation="bind" profile="snap.dbeaver-ce.dbeaver-ce" pid=34106 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/SWT-GDBusServer/dbus-yEecNl65"

The log when the application crashes is the same as it was:

SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0

(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C  [libswt-gtk-4948r9.so+0x3ed16]  Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)

alexmurray · June 1, 2022, 12:41pm

Can you please try adding the network-bind interface to your snap’s plugs and that should resolve this issue?

alexmurray · June 1, 2022, 12:48pm

Apologies I see your snap already plugs network-bind - however I see another user has also come across this problem before and managed to work around it - Java SWT + Webkit + DBus - are you able to try that suggestion?

riednyko · June 1, 2022, 6:28pm

@alexmurray,

Unfortunately, this work around has already been tried and the result is the same