Hi,
htop
snap gets apparmor="DENIED"
when trying to SIGTERM
kill firefox
and chromium-browser
renderer processes. Both /usr/lib/firefox/firefox
and /usr/lib/chromium-browser/chromium-browser
are in enforce mode according to aa-status
. Setting these to complain mode fixes this issue. But, otoh, /usr/bin/htop
is able to signal these processes successfully even in enforce mode.
Is it possible to make htop
snap signal aa-enforced processes, as /usr/bin/htop
does?
Note this happens with different versions of htop
snap (Iām currently on candidate, rev 163, v2.2.0); and it is connected to :process-control
and :system-observe
, as expected.
Btw, Iām the current maintainer of this snap.
$ journalctl -fk
...
May 01 11:06:50 max5 kernel: audit: type=1400 audit(1525183610.173:770): apparmor="DENIED" operation="signal" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=32120 comm="htop" requested_mask="receive" denied_mask="receive" signal=term peer="snap.htop.htop"
May 01 11:06:50 max5 kernel: audit: type=1400 audit(1525183610.173:771): apparmor="DENIED" operation="signal" profile="/usr/lib/chromium-browser/chromium-browser" pid=32120 comm="htop" requested_mask="receive" denied_mask="receive" signal=term peer="snap.htop.htop"
$ snap version
snap 2.32.5+18.04
snapd 2.32.5+18.04
series 16
ubuntu 18.04
kernel 4.15.0-20-generic
Cheers,