@emitorino Thanks for the clarification.
We have fixed almost all the problems with access restrictions in dbeaver-ce snap package, but one main problem remains.
Problem with snap and Eclipse SWT Webkit.
When running the dbeaver-ce package, there is an error in the log:
SWT SessionManagerDBus: Failed to RegisterClient: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.517" (uid=1000 pid=195667 comm="/snap/dbeaver-ce/175/usr/share/dbeaver-ce/jre/bin/" label="snap.dbeaver-ce.dbeaver-ce (enforce)") interface="org.gnome.SessionManager" member="RegisterClient" error name="(unset)" requested_reply="0" destination=":1.35" (uid=1000 pid=3416 comm="/usr/libexec/gnome-session-binary --systemd-servic" label="unconfined")
When try to use a web browser (gis maps in the database or just open the web browser settings), the application instantly crashes with an error:
SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0
(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C [libswt-gtk-4948r9.so+0x3ed16] Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)
The problem is very similar to this: Request for classic confinement: wireframesketcher
This problem was fixed only with classic confinement in dbeaverapp snap package.
If there is a way to fix this in strict confinement, please help
3 Likes
Hello! Just want to raise the topic
2 Likes
So I think there is 2 issues here:
- The snap is not allowed to call the
RegisterSession
method on org.gnome.SessionManager
via DBus - I suspect this is not a critical error and is not what is actually causing it to fail to launch
- The snap is not allowed to bind to itâs own DBus name:
error creating DBus server Error binding to address
- this I think is the real issue but your logs are not showing what name the snap is trying to use
For this second issue, can you please have a look at dmesg
output and see if there is any AppArmor DENIAL messages related to this as they should show what name the snap is trying to bind to. Then you can add a dbus
slot to your snap yaml to declare access to this name and it should then work - see https://snapcraft.io/docs/dbus-interface for more details, in particular the âProviding snap (slot)â section.
1 Like
Thanks for the answer! We will try it
Can you please review dbeaver-ce snap with added dbus slot?
The Store automatic review failed.
A human will soon review your snap, but if you canât wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:
- human review required due to âdeny-connectionâ constraint (interface attributes)
@riednyko,
I have granted the dbus well-known name to the latest dbeaver-ce snap revisions and I can see them successfully published. Could you please check and let us know?
Thanks!
Unfortunately, the problem was not solved with the connected dbus slot. If everything was done correctly.
AppArmor DENIAL messages:
[42704.467274] audit: type=1400 audit(1653476133.389:3260): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.507530] audit: type=1400 audit(1653476133.429:3261): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/devices/virtual/dmi/id/chassis_type" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.507546] audit: type=1400 audit(1653476133.429:3262): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/firmware/acpi/pm_profile" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.573491] audit: type=1400 audit(1653476133.497:3263): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.624713] audit: type=1107 audit(1653476133.549:3264): pid=1066 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.11" pid=144302 label="snap.dbeaver-ce.dbeaver-ce" peer_pid=1068 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[42704.628545] audit: type=1400 audit(1653476133.553:3265): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/core_pattern" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.628853] audit: type=1400 audit(1653476133.553:3266): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433120436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.669600] audit: type=1400 audit(1653476133.593:3267): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=143936 comm=433220436F6D70696C657254687265 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.750131] audit: type=1400 audit(1653476133.673:3268): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/kernel/threads-max" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[42704.750134] audit: type=1400 audit(1653476133.673:3269): apparmor="DENIED" operation="open" profile="snap.dbeaver-ce.dbeaver-ce" name="/proc/sys/vm/max_map_count" pid=143936 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
@alexmurray ,
It turned out to resolve all apparmor=denied manually by editing the profile. Apparmor message that was left when the application crashed:
apparmor="DENIED" operation="bind" profile="snap.dbeaver-ce.dbeaver-ce" pid=34106 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/SWT-GDBusServer/dbus-yEecNl65"
The log when the application crashes is the same as it was:
SWT WebKitGDBus: error creating DBus server Error binding to address (GUnixSocketAddress): Permission denied
SWT WebKit: error initializing DBus server, dBusServer == 0
(DBeaver:103782): GLib-GIO-CRITICAL **: 17:24:53.929: g_dbus_server_get_client_address: assertion 'G_IS_DBUS_SERVER (server)' failed
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f463fa33d16, pid=103782, tid=103783
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C [libswt-gtk-4948r9.so+0x3ed16] Java_org_eclipse_swt_internal_C_strlen+0xf
#
# Core dump will be written. Default location: core.103782 (may not exist)
1 Like
Can you please try adding the network-bind
interface to your snapâs plugs
and that should resolve this issue?
Apologies I see your snap already plugs network-bind
- however I see another user has also come across this problem before and managed to work around it - Java SWT + Webkit + DBus - are you able to try that suggestion?
@alexmurray,
Unfortunately, this work around has already been tried and the result is the same
@alexmurray,
Everything worked without problems only on the dbeaverapp snap package (our private sandbox) when the classic confinement was added. It is very necessary to solve this problem in our main snap package dbeaver-ce.
@ogra do you have any hint on how this error can be fixed for dbeaverapp
(multi-platform database tool)?
Hi @emitorino!
Would you please push someone who will be able to resolve our issue?
@eugene.mironov so the problem is that EclipseSWT always hardcodes the private DBus socket path (and hence an anonymous unix socket address) as @/tmp/SWT-GDBusServer/xxx
whereas the snap policy only allows to use the name @snap.$SNAP_NAME.*
as seen via the following rules in the base template:
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
From what I can see the SWT code hard-codes this at https://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/gtk/library/webkitgtk_extension.c?id=da12286c883e0b0df6716797fe93cd5886db5a14#n543 and https://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/bundles/org.eclipse.swt/Eclipse%20SWT%20WebKit/gtk/org/eclipse/swt/browser/WebkitGDBus.java?id=19153b908d6d4cedcbd59824686717502cfde4f7#n233 - so one crazy idea might be to try and LD_PRELOAD
a small shared object file which redefines the construct_server_address()
function to use a different path (as this function doesnât appear to be static
it may be possible to redefine it but I am not certain of this since I am not sure how this would interact with the Java code mentioned there as well), OR you could build Eclipse-SWT-WebKit from source as a separate part
and patch the source code in the process to define this to use a different path for the socket address. Finally, I see the most recent code for EclipseSWT has removed this functionality entirely, so perhaps just using a newer version of EclipseSWT may be sufficient too.
Other than that I am out of ideas (apologies, Java is not my area of expertise).
Thanks for the answer! We will try to upgrade to the latest version of eclipse as soon as it is released.
@alexmurray
Unfortunately, with the latest Eclipse 2022-06, the problem remained. And yet, please tell me why it is not possible to provide a classic confinement for the package?
After the next update, the problem seemed to be solved.
I think the thread can be closed. Thanks!
Excellent - thanks - please feel free to open a new thread if needed in the future.