Hi @emitorino, Have we provided all the required information? thx
Hey @skydiveroid! Apologize this request is taking so long, but on the other side we are not getting the enough details required to grant classic confinement. Let me remind you again that a classic snap runs without restrictions so granting this is a very sensitive operation. The fact that this was granted in the past for a related snap does not mean will be granted again to other similar/related snap.
Can you please list those directories? There are various interfaces that can provide you accesses to specific locations such as home, personal-files, system-files and removable-media.
Regarding opening up app applications, I shared a suggestion earlier. Could you try it?
In any case, please share here the denials and issues you are experiencing with those accesses and we will be happy to help you work through them. If you are not familiar with it, snappy-debug will definitely help you find missing interfaces.
Thanks!
Can you please provide the information requested by @emitorino above so we can try and progress this request? Thanks.
@skydiveroid, @riednyko, @mayer: since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks
@emitorino Thanks for the clarification.
We have fixed almost all the problems with access restrictions in dbeaver-ce snap package, but one main problem remains.
Problem with snap and Eclipse SWT Webkit.
When running the dbeaver-ce package, there is an error in the log:
SWT SessionManagerDBus: Failed to RegisterClient: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.517" (uid=1000 pid=195667 comm="/snap/dbeaver-ce/175/usr/share/dbeaver-ce/jre/bin/" label="snap.dbeaver-ce.dbeaver-ce (enforce)") interface="org.gnome.SessionManager" member="RegisterClient" error name="(unset)" requested_reply="0" destination=":1.35" (uid=1000 pid=3416 comm="/usr/libexec/gnome-session-binary --systemd-servic" label="unconfined")
When try to use a web browser (gis maps in the database or just open the web browser settings), the application instantly crashes with an error:
SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0
(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C [libswt-gtk-4948r9.so+0x3ed16] Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)
The problem is very similar to this: Request for classic confinement: wireframesketcher
This problem was fixed only with classic confinement in dbeaverapp snap package. If there is a way to fix this in strict confinement, please help
3 Likes
Hello! Just want to raise the topic
2 Likes
So I think there is 2 issues here:
- The snap is not allowed to call the
RegisterSessionmethod onorg.gnome.SessionManagervia DBus - I suspect this is not a critical error and is not what is actually causing it to fail to launch - The snap is not allowed to bind to it’s own DBus name:
error creating DBus server Error binding to address- this I think is the real issue but your logs are not showing what name the snap is trying to use
For this second issue, can you please have a look at dmesg output and see if there is any AppArmor DENIAL messages related to this as they should show what name the snap is trying to bind to. Then you can add a dbus slot to your snap yaml to declare access to this name and it should then work - see https://snapcraft.io/docs/dbus-interface for more details, in particular the “Providing snap (slot)” section.
1 Like
Thanks for the answer! We will try it
Can you please review dbeaver-ce snap with added dbus slot?
The Store automatic review failed. A human will soon review your snap, but if you can’t wait please write in the snapcraft forum asking for the manual review explicitly. If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels. Please check the errors and some hints below:
- human review required due to ‘deny-connection’ constraint (interface attributes)
I have granted the dbus well-known name to the latest dbeaver-ce snap revisions and I can see them successfully published. Could you please check and let us know?
Thanks!
Unfortunately, the problem was not solved with the connected dbus slot. If everything was done correctly.
AppArmor DENIAL messages:
[42704.467274] audit: type=1400 audit(1653476133.389:3260): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.507530] audit: type=1400 audit(1653476133.429:3261): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/devices/virtual/dmi/id/chassis_type" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.507546] audit: type=1400 audit(1653476133.429:3262): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/firmware/acpi/pm_profile" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.573491] audit: type=1400 audit(1653476133.497:3263): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.624713] audit: type=1107 audit(1653476133.549:3264): pid=1066 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.11" pid=144302 label="snap.dbeaver-ce.dbeaver-ce" peer_pid=1068 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[42704.628545] audit: type=1400 audit(1653476133.553:3265): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/core_pattern" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.628853] audit: type=1400 audit(1653476133.553:3266): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.669600] audit: type=1400 audit(1653476133.593:3267): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433220436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.750131] audit: type=1400 audit(1653476133.673:3268): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/threads-max" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.750134] audit: type=1400 audit(1653476133.673:3269): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/vm/max_map_count" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0@alexmurray , It turned out to resolve all apparmor=denied manually by editing the profile. Apparmor message that was left when the application crashed:
apparmor="DENIED" operation="bind" profile="snap.dbeaver-ce.dbeaver-ce" pid=34106 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/SWT-GDBusServer/dbus-yEecNl65"
The log when the application crashes is the same as it was:
SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0
(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C [libswt-gtk-4948r9.so+0x3ed16] Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)
1 Like
Can you please try adding the network-bind interface to your snap’s plugs and that should resolve this issue?
Apologies I see your snap already plugs network-bind - however I see another user has also come across this problem before and managed to work around it - Java SWT + Webkit + DBus - are you able to try that suggestion?
Everything worked without problems only on the dbeaverapp snap package (our private sandbox) when the classic confinement was added. It is very necessary to solve this problem in our main snap package dbeaver-ce.
@ogra do you have any hint on how this error can be fixed for dbeaverapp (multi-platform database tool)?
@eugene.mironov so the problem is that EclipseSWT always hardcodes the private DBus socket path (and hence an anonymous unix socket address) as @/tmp/SWT-GDBusServer/xxx whereas the snap policy only allows to use the name @snap.$SNAP_NAME.* as seen via the following rules in the base template:
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
From what I can see the SWT code hard-codes this at https://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/gtk/library/webkitgtk_extension.c?id=da12286c883e0b0df6716797fe93cd5886db5a14#n543 and https://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/gtk/org/eclipse/swt/browser/WebkitGDBus.java?id=19153b908d6d4cedcbd59824686717502cfde4f7#n233 - so one crazy idea might be to try and LD_PRELOAD a small shared object file which redefines the construct_server_address() function to use a different path (as this function doesn’t appear to be static it may be possible to redefine it but I am not certain of this since I am not sure how this would interact with the Java code mentioned there as well), OR you could build Eclipse-SWT-WebKit from source as a separate part and patch the source code in the process to define this to use a different path for the socket address. Finally, I see the most recent code for EclipseSWT has removed this functionality entirely, so perhaps just using a newer version of EclipseSWT may be sufficient too.
Other than that I am out of ideas (apologies, Java is not my area of expertise).