Discord ptrace AppArmor denials

Ads20000 · May 21, 2018, 4:13pm

I’m getting many AppArmor denials from Discord, to the extent that /var/log/journal/system.journal is 100MB (for just a few days of persistent logging) and /var/log/journal is over 4GB (also for just a few days). As @popey puts it, ‘discord likes to interrogate other applications on the system, probably so it can show to your friends what game you’re currently playing’, we may need a tweak to the AppArmor policy, can you help @jdstrand?

The denial (looks incomplete but I can’t see the full line because I can’t open /var/log/system.log with cat or nano (garbled) and it’s kinda too big for Text Editor (but probably also garbled in that)):

Apr 23 12:31:05 adam-thinkpad-t430 audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" d

jdstrand · April 23, 2018, 11:57am

The apparmor denial is incomplete. Can you paste the whole denial?

Ads20000 · April 23, 2018, 12:05pm

How do I get it? I can’t seem to scroll sideways in journalctl? Using left and right keys didn’t seem to work

Ads20000 · April 23, 2018, 12:08pm

Got it with journalctl -f

Apr 23 13:06:17 adam-thinkpad-t430 audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" denied_mask="trace" peer="unconfined"

Also

Apr 23 13:06:17 adam-thinkpad-t430 audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" denied_mask="trace" peer="snap.gnome-clocks.gnome-clocks"
Apr 23 13:06:17 adam-thinkpad-t430 audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" denied_mask="trace" peer="snap.mailspring.mailspring"

(different peers)

jdstrand · April 23, 2018, 1:06pm

Discord should not be allowed to ptrace other snaps (label=snap.!discord.*) or system processes (label=unconfined) since that would allow discord to completely control these other processes. This would be a surprising requirement for a chat program.

That said, the LSM hooks in the kernel are not fine-grained enough for ptrace and a ‘ptrace trace’ denial can actually be triggered with the ‘ps’ command. From interfaces/builtin/system_observe.go:

# ptrace can be used to break out of the seccomp sandbox, but ps requests
# 'ptrace (trace)' even though it isn't tracing other processes. Unfortunately,
# this is due to the kernel overloading trace such that the LSMs are unable to
# distinguish between tracing other processes and other accesses. We deny the
# trace here to silence the log.
# Note: for now, explicitly deny to avoid confusion and accidentally giving
# away this dangerous access frivolously. We may conditionally deny this in the
# future.
deny ptrace (trace),

Discord already plugs system-observe, so you can make the denial go away with: `sudo snap connect discord:system-observe.

I would argue that it is surprising that discord requires system-observe and that it should be modified to not trigger the denial. In lieu of that, discord should probably pursue auto-connecting the system-observe interface.

ali1234 · May 21, 2018, 1:10am

Can we just get a way to suppress the errors please? This is sending over 30 error message to the kernel log every second. It is also trying and failing to read /proc/pid/cmdline for ssh-agent. I don’t want to give Discord these permissions.

Ads20000 · May 21, 2018, 7:48am

This is an AppArmor feature request that has been standing since 2011.

Edit: Actually, we should be able to do this with deny rules in the AppArmor profile, I’m not sure how to go about doing this though.

jdstrand · May 21, 2018, 5:45pm

Which permissions do you not want to grant? system-observe? Note that while snapd allows the user to choose whether or not to connect interfaces, it doesn’t (currently) allow a means to control the logging of the snap. This and more generally not supporting hand-tweaking snap app policy was taken as an early design decision for snapd. This could be revisited (I would suggest another forum topic though).

If you are choosing to not connect requested interfaces, then you’ll need to find some other means to manage policy denials. rsyslog for example allows ignoring log entries so they don’t hit the disk (I’m not aware of a way to do this with journald though). You could also modify /var/lib/snapd/apparmor/profiles/snap.discord.discord to have:

deny ptrace (trace),

Then do ‘sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord’. Because of how snapd manages its profiles, you will have to periodically re-add the above rule to the profile.

jdstrand · May 21, 2018, 2:25pm

This gets at the question of whether or not a user should be able to control the logged denials of the snap application where the user has chosen to disconnect requested interfaces (see my last reply). If the design decision for snapd changes, then we can prioritize how to limit logging (eg, to implement ‘quiet’ as a profile flag).

Ads20000 · May 21, 2018, 4:14pm

I’ve plugged system-observe and now I get a glut of open denials, so many that the forum won’t let me paste in even one second’s worth of the logs

May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.223:15262): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11704 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/0ad_play0ad.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/atom_atom.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/brave_brave.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/chromium_chromium.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/corebird_corebird.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/dolphin_org.kde.dolphin.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/firefox_firefox.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/flare-rpg_flare-rpg.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gimp_gimp.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-characters_gnome-characters.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-clocks_gnome-clocks.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-recipes_gnome-recipes.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-sudoku_gnome-sudoku.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/inkscape_inkscape.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/keepassxc_keepassxc.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_base.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_calc.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_draw.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_impress.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_libreoffice.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_math.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_writer.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_lsi-settings.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_steam.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linuxtycoon_linuxtycoon.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/mailspring_mailspring.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/musescore_musescore.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/notepad-plus-plus_notepad-plus-plus.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/obs-studio_obs-studio.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/spotify_spotify.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/talesofmajeyal_talesofmajeyal.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15263): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/0ad_play0ad.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15264): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/atom_atom.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15265): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/brave_brave.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15266): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/chromium_chromium.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15267): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/corebird_corebird.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15268): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/dolphin_org.kde.dolphin.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15269): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/firefox_firefox.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.243:15270): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/flare-rpg_flare-rpg.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/telegram-desktop_telegramdesktop.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11856]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11856 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 21 17:08:08 adam-thinkpad-t430 audit[11863]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11863 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 21 17:08:08 adam-thinkpad-t430 audit[11856]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11856 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 21 17:08:08 adam-thinkpad-t430 audit[11863]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11863 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/0ad_play0ad.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/atom_atom.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/brave_brave.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/chromium_chromium.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/corebird_corebird.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/dolphin_org.kde.dolphin.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/firefox_firefox.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/flare-rpg_flare-rpg.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gimp_gimp.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-characters_gnome-characters.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-clocks_gnome-clocks.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-recipes_gnome-recipes.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-sudoku_gnome-sudoku.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/inkscape_inkscape.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/keepassxc_keepassxc.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_base.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_calc.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_draw.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_impress.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_libreoffice.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_math.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_writer.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_lsi-settings.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_steam.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linuxtycoon_linuxtycoon.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/mailspring_mailspring.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/musescore_musescore.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/notepad-plus-plus_notepad-plus-plus.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/obs-studio_obs-studio.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/spotify_spotify.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/talesofmajeyal_talesofmajeyal.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11905]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/telegram-desktop_telegramdesktop.desktop" pid=11905 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/0ad_play0ad.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/atom_atom.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/brave_brave.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/chromium_chromium.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/corebird_corebird.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/dolphin_org.kde.dolphin.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/firefox_firefox.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/flare-rpg_flare-rpg.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gimp_gimp.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-characters_gnome-characters.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-clocks_gnome-clocks.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-recipes_gnome-recipes.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/gnome-sudoku_gnome-sudoku.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/inkscape_inkscape.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/keepassxc_keepassxc.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_base.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_calc.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_draw.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_impress.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_libreoffice.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_math.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/libreoffice_writer.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_lsi-settings.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linux-steam-integration_steam.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/linuxtycoon_linuxtycoon.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/mailspring_mailspring.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/musescore_musescore.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/notepad-plus-plus_notepad-plus-plus.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/obs-studio_obs-studio.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/spotify_spotify.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/talesofmajeyal_talesofmajeyal.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[11907]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/telegram-desktop_telegramdesktop.desktop" pid=11907 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 21 17:08:08 adam-thinkpad-t430 audit[12094]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/mimeinfo.cache" pid=12094 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

_{Changed the category from snapd to snap because this is no longer really a snapd feature request but more of a Discord problem. I suppose I’m reliant on the Snap Advocates having the time to get in touch with Discord about this and then for Discord to work out what to do to fix the issue…}

Ads20000 · May 21, 2018, 4:21pm

Filed a topic. @ali1234 could you +1 (use the Like button) my proposal or comment your suggestions on it?

jdstrand · May 21, 2018, 5:43pm

Let’s look at a couple of these denials:

May 21 17:08:08 adam-thinkpad-t430 kernel: audit: type=1400 audit(1526918888.223:15262): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/home/adam/.local/share/flatpak/exports/share/applications/" pid=11704 comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

This isn’t allowed by any policy. It could in theory be added to desktop-legacy. @jamesh, thoughts?

May 21 17:08:08 adam-thinkpad-t430 audit[11748]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/var/lib/snapd/desktop/applications/0ad_play0ad.desktop" pid=11748 comm="grep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This is already allowed by the unity7 interface. Please connect the unity7 interface. I’ll take a todo to investigate this for desktop-legacy as well.

It looks like discord is shipping ‘xdg-mime’ and these denials are all coming from that. This is discussed here: Unable to set default mail client - x-scheme-handler in snap .desktop files are ignored

Ads20000 · May 21, 2018, 6:01pm

Connecting unity7 seems to silence all of the denials, thanks!
For the record, the following commands solves the problem:

snap connect discord:system-observe :system-observe
snap connect discord:unity7 :unity7

I’ll add this to the snapcrafters GitHub Issue…

Obviously this doesn’t help people out-of-the-box but I guess most people wouldn’t care that their logs are being flooded and the denials don’t seem to hinder the application, just need a way to silence them if the user doesn’t want to connect those interfaces but does need access to the logs (see the topic linked earlier).

The system observe interface was requested auto-connection but no votes. The unity7 interface has not been requested auto-connection, could request this if people wanted…

jdstrand · May 23, 2018, 9:51pm

Note that unity7 should be auto-connected by default… not sure why it wasn’t connected on your system.

As for system-observe, I responded in the other thread wrt voting and added that request to our vote tracking system (for some reason it wasn’t added).

piark · February 23, 2020, 6:52pm

In discord, you can just disable the system process scan.
To do this, go to, user settings, Activity and Games, Show the game i am currently playing.
regards.

Ads20000 · October 20, 2020, 2:24pm

I’ve just checked and this doesn’t resolve the problem.
Settings > Game Activity > ‘Display currently running game as a status message.’ set to off and even restarting Discord after that (and observing that the setting is still set to off), I still get the following denial repeated over and over:

Oct 20 15:22:12 adam-thinkpad-t430 audit[85081]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=85081 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"