Jami snap sip-client (or dbus) AppArmor problems

mocart · January 4, 2021, 11:03am

I try to configure Jami sip client in ubuntu 20.04 and see in syslog file this message:

Jan  1 11:03:08 user-home dbus-daemon[1974]: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/cx/ring/Ring/ConfigurationManager" interface="cx.ring.Ring.ConfigurationManager" member="volatileAccountDetailsChanged" mask="send" name="org.freedesktop.DBus" pid=11820 label="snap.jami.jami" peer_pid=2655 peer_label="unconfined"

Then i tryed to start apparmor status:

sudo apparmor_status
apparmor module is loaded.
44 profiles are loaded.
25 profiles are in enforce mode.
   /snap/core/10577/usr/lib/snapd/snap-confine
   /snap/core/10577/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/10492/usr/lib/snapd/snap-confine
   /snap/snapd/10492/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   snap-update-ns.core
   snap-update-ns.discord
   snap-update-ns.jami
   snap-update-ns.krdc
   snap-update-ns.p7zip-desktop
   snap-update-ns.snap-store
   snap-update-ns.telegram-desktop
   snap.core.hook.configure
   snap.discord.discord
   snap.discord.hook.configure
   snap.jami.jami
   snap.krdc.krdc
   snap.p7zip-desktop.p7zip-desktop
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
   snap.telegram-desktop.telegram-desktop
19 profiles are in complain mode.
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
6 processes have profiles defined.
6 processes are in enforce mode.
   /snap/jami/112/usr/bin/jami-gnome (5342) snap.jami.jami
   /snap/jami/112/usr/lib/ring/dring (5466) snap.jami.jami
   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess (5520) snap.jami.jami
   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess (5521) snap.jami.jami
   /snap/snap-store/518/usr/bin/snap-store (2400) snap.snap-store.ubuntu-software
   /snap/telegram-desktop/2315/usr/bin/telegram-desktop (2306) snap.telegram-desktop.telegram-desktop
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I try to configure Jami sip client in ubuntu 20.04 and see in syslog file this message:

Jan  1 11:03:08 user-home dbus-daemon[1974]: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/cx/ring/Ring/ConfigurationManager" interface="cx.ring.Ring.ConfigurationManager" member="volatileAccountDetailsChanged" mask="send" name="org.freedesktop.DBus" pid=11820 label="snap.jami.jami" peer_pid=2655 peer_label="unconfined"

Then i tryed to start apparmor status:

sudo apparmor_status
apparmor module is loaded.
44 profiles are loaded.
25 profiles are in enforce mode.
   /snap/core/10577/usr/lib/snapd/snap-confine
   /snap/core/10577/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/10492/usr/lib/snapd/snap-confine
   /snap/snapd/10492/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   snap-update-ns.core
   snap-update-ns.discord
   snap-update-ns.jami
   snap-update-ns.krdc
   snap-update-ns.p7zip-desktop
   snap-update-ns.snap-store
   snap-update-ns.telegram-desktop
   snap.core.hook.configure
   snap.discord.discord
   snap.discord.hook.configure
   snap.jami.jami
   snap.krdc.krdc
   snap.p7zip-desktop.p7zip-desktop
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
   snap.telegram-desktop.telegram-desktop
19 profiles are in complain mode.
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
6 processes have profiles defined.
6 processes are in enforce mode.
   /snap/jami/112/usr/bin/jami-gnome (5342) snap.jami.jami
   /snap/jami/112/usr/lib/ring/dring (5466) snap.jami.jami
   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess (5520) snap.jami.jami
   /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess (5521) snap.jami.jami
   /snap/snap-store/518/usr/bin/snap-store (2400) snap.snap-store.ubuntu-software
   /snap/telegram-desktop/2315/usr/bin/telegram-desktop (2306) snap.telegram-desktop.telegram-desktop
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I think, it’s linked with AppArmor, and it must be allowed for D-Bus or Jami app from enforced mode, but i can’t understand it, how i can solve it? Thanks!

ogra · January 4, 2021, 12:09pm

can you install the snappy-debug snap and run it in a terminal while also running the jami snap ? that should give some clearer error messages (and perhaps also suggestions what is missing in the snap)

mocart · January 5, 2021, 10:00am

Hi! I did it

ogra · January 5, 2021, 11:02am

this looks like jami is trying to call the snap command, this wont work and looks like a packaging bug …

mocart · January 5, 2021, 11:22am

oh, can i do anything to solve it?

ogra · January 5, 2021, 12:04pm

well, looking at the source at https://github.com/diddlesnaps/jami i dont see anything that could call the snap command, is your snappy-debug output really only from starting jami in another terminal ?

mocart · January 5, 2021, 12:36pm

Yep, i closed Jami, then start snappy-debug in new terminal and after it start Jami

ogra · January 5, 2021, 2:11pm

well, something seems seriously wrong with your OS then (this looks like someone tinkered with the apparmor setup, or a broken kernel is in use or some such, a default Ubuntu install should definitely not expose such output) …

what do:
snap version
snap debug confinement
and
snap debug sandbox-features

return ?

lucyllewy · January 5, 2021, 6:26pm

Jami upstream have taken over maintenance, so my repo is probably woefully out of date.

mocart · January 6, 2021, 8:28am

snap version

snapd   2.48.2
series  16
ubuntu  20.04
kernel  5.4.0-58-generic

snap debug confinement

strict

snap debug sandbox-features

apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
    confinement-options:  classic devmode strict
    dbus:                 mediated-bus-access
    kmod:                 mediated-modprobe
    mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
    seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
    udev:                 device-cgroup-v1 device-filtering tagging

ogra · January 6, 2021, 10:27am

well, this looks all fine, did you tinker with any apparmor settings on this system since it was installed ?

mocart · January 6, 2021, 11:10am

only temporary disabling , to test it