Desktop environments and apparmor


#1

Hello,

I have a snap that has base core18, confinement strict, using the glib-only desktop helper.
The app has the following plugs enabled:

  • desktop
  • desktop-legacy
  • x11
  • opengl
  • network

Until some days ago, the snap was running with no issues. However, now it is unable to start and I see the following errors in the journal:

Aug 09 11:28:05 aston-Xubuntu audit[22858]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/Documents/" pid=22858 comm=“head” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.491:182): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/Documents/" pid=22858 comm=“head” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/mountinfo" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:183): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/mountinfo" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:184): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:185): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:186): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000

I have noticed that in the snap home directory there are links to the actual home:

for example:

ls -la ~/snap/rust-keylock-ui/current/.config/gtk-2.0/gtkfilechooser.ini

returns

lrwxrwxrwx 1 aston aston 49 Aug 9 09:35 /home/aston/snap/rust-keylock-ui/current/.config/gtk-2.0/gtkfilechooser.ini -> /home/aston/.config/gtk-2.0/gtkfilechooser.ini

Can this be an issue?
Do I need some additional configuration in my snap to keep the apparmor happy?
Here is the snapcraft.yaml for reference.


#2

I found out that the issue was caused by the way I was building the snaps.
I was using SNAPCRAFT_BUILD_ENVIRONMENT=host for the build and this messed with the symlinks creation for gtk.

Using the default (multipass) fixed the issue.

Thanks