Dbus related AppArmor denials

peterzen · October 22, 2023, 9:29pm

Hello,

my application uses the Fyne go library to create a systray under Gnome. The snap and the systray works correctly when running in --devmode, but in strict mode certain DBus access signals/calls are denied (please see the log messages below). The systray menu itself gets created, but subsequent DBus calls to add menu items to it fail due to these denials.

I’ve been searching extensively for the correct way to specify the plugs interface configuration but am not entirely sure I got the relevant sections right. Is this configuration supposed to work?

plugs:
  dbus-svc:
    bus: system
    interface: dbus
    name: org.freedesktop.portal

  dbus-dbusmenu:
    bus: session
    interface: dbus
    name: org.freedesktop.DBus.Properties
...

myapp:
  extensions: [gnome]
  environment:
    GTK_USE_PORTAL: "1"
  plugs:
    ...
    - desktop
    - desktop-legacy
    - unity7
    - dbus-svc
    - dbus-dbusmenu

What I wonder is that at present the dbus-dbusmenu plug is not connected (I understand this is not auto connected) but I can’t seem to connect manually either:

$ sudo snap connect myapp:dbus-dbusmenu :dbus
error: snap "snapd" has no slot named "dbus"

I would appreciate any hints, tips or ideas on potential solutions.

Many thanks!

Peter

Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" mask="send" name="org.freedesktop.DBus"  
Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" mask="send" name="org.freedesktop.DBus"  ]
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="org.freedesktop.DBus.Properties" member="GetAll"  mask="receive"  
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="AboutToShow"  mask="receive"  
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="GetLayout"  mask="receive"  
Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierMenu" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" mask="send" name="org.freedesktop.DBus"  
Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="LayoutUpdated" mask="send" name="org.freedesktop.DBus"  
Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierMenu" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" mask="send" name="org.freedesktop.DBus"  
Log: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="LayoutUpdated" mask="send" name="org.freedesktop.DBus"

alexmurray · October 31, 2023, 11:30am

In general a snap should not be binding to these dbus names - instead these should already be available via the desktop-legacy and desktop plug - and so you should remove these other two plugs from the snap.

The desktop-legacy plug should be connected automatically as well.

Can you confirm if this is the case? snap connections $SNAP_NAME | grep desktop-legacy

peterzen · October 31, 2023, 1:03pm

Thanks for your reply Alex. Both desktop and desktop-legacy are connected:

desktop                 dexc:desktop                 :desktop                        -
desktop-legacy          dexc:desktop-legacy          :desktop-legacy                 -

I have now removed the DBus plugs and tested the snap again, it behaves the same way. Some new observations:

the systray works correctly when the snap is run on KDE (Fedora 38).
on GNOME, with gnome-shell-extension-appindicator installed/running, the tray icon does appear but menu items don’t, the icon doesn’t respond to mouse click and the above DENIED messages are logged.
with gnome-shell-extension-appindicator removed, the application gives this error: systray error: failed to register our icon with the notifier watcher (maybe no tray is running?): The name org.kde.StatusNotifierWatcher was not provided by any .service files.

Thanks again for looking into this.

Peter

emitorino · November 29, 2023, 8:20pm

Hi @peterzen!

As @alexmurray mentioned, desktop-legacy and desktop should provide the functionality your app is requiring.

Is the source code for this snap available for us to take a look and do further troubleshooting?

Thanks!

peterzen · November 29, 2023, 8:42pm

Hi @emitorino, yes, please see the test case in this repository:

https://github.com/peterzen/systray-example-snap

Thank you!

emitorino · January 25, 2024, 4:31pm

Hey @peterzen ,

Apologize for the long delay. Are you still working on/troubleshooting this issue?

peterzen · January 25, 2024, 5:28pm

Hey @emitorino, yes I am, haven’t found a solution yet.

jslarraz · January 26, 2024, 5:00pm

Hey @peterzen,

I just tried to take a closer look at this request. When running your snap from here I got a subset of dbus denials different than yours. Could you please confirm that you still get the same denials when running your example snap?

Thanks

peterzen · January 26, 2024, 7:30pm

Hi @jslarraz, thank you for looking into this.

The log output in the OP had a few extra log messages, I have since narrowed it down to the denials that you’re probably seeing in the test case (to confirm, the ones I’m getting below).

Have you been able to reproduce/see the problem?

= AppArmor =
Time: Jan 26 20:25:56
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.27" mask="receive" pid=16160 label="snap.example.example" peer_pid=699 peer_label="unconfined"
DBus access

= AppArmor =
Time: Jan 26 20:25:56
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="AboutToShow" name=":1.27" mask="receive" pid=16160 label="snap.example.example" peer_pid=699 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'unity7' to 'plugs'

= AppArmor =
Time: Jan 26 20:25:56
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/StatusNotifierMenu" interface="com.canonical.dbusmenu" member="GetLayout" name=":1.27" mask="receive" pid=16160 label="snap.example.example" peer_pid=699 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'unity7' to 'plugs'

ogra · January 29, 2024, 11:13am

Have you tried to follow the suggestion and add the unity7 inteface plug?

peterzen · January 29, 2024, 4:57pm

I have, it has no effect - the same error message is logged when it’s added.

jslarraz · January 30, 2024, 8:42am

@peterzen

Yes, I could observe this issue (I didn’t see the first denial you have there, but I have the other two among others).

I needed following extra dbus rules to make the example application to work.

dbus (receive)
    bus=session
    path=/StatusNotifierMenu
    interface=com.canonical.dbusmenu
    member={GetLayout,GetGroupProperties,AboutToShow,Event}
    peer=(label=unconfined),

dbus (send)
    bus=session
    path=/StatusNotifierMenu
    interface=com.canonical.dbusmenu
    member=LayoutUpdated
    peer=(label=unconfined),

@alexmurray Are those rules something we are missing in some interface (maybe to desktop-legacy) or do you think there is a reason to not to include them?

jslarraz · January 31, 2024, 1:21pm

After a deeper check, it seems that the menu path used by fyne, /StatusNotifierMenu, does not match with the menu path allowed by the desktop-legacy interface, /StatusNotifierItem/menu.

I created a fork of the fyne/systray repo and updated the menu path to match with the expected by desktop-legacy interface. Updating your example to use my update fork seems to work perfectly out of the box.

...
    source-type: git
    source: https://github.com/jslarraz/systray
    source-branch: jslarraz-as-dependency
    source-subdir: example

If /StatusNotifierItem/menu is the preferred dbus path to locate this menu item you may want to ask fyne upstream to change it (maybe @jamesh can say something here). Otherwise, a better alternative would be to ask fyne upstream to expose this to be configurable by the application developers.

peterzen · February 4, 2024, 12:43pm

Many thanks for tracking this down @jslarraz , I have posted your solution to the relevant issue open in the Systray repo.

https://github.com/fyne-io/systray/issues/64