JAVAFX App: personal-files interface doesn't give access to $HOME/.openjfx cache directory in Strict mode

I am developing an application which works mostly correctly when snapped and installed in Devmode and Classic mode, but fails when snapped and installed in Strict mode.

It would appear that AppArmor is denying access to a cache file stored in the useres home directory by a JAVAFX component, even though the personal files interface has been requested and manually enabled.

A second more minor issue is that I cannot start a browser in Devmode.

If this cannot be solved I must ask for release in Classic mode, which I realise is not popular in this community.

Please note my general expertise is in JAVA programming, not LINUX or SNAP, so I ask your forbearance if I need gentle explanations!

many thanks
Alan

//=======================================

Background
The snap is a JavaFX self contained app for the management of photographic images. It reads and writes files (.jpg, .txt) from the users file systems, including USB connected storage and devices (cameras), and network storage via the resident file system.

As the Application is self contained from a java execution environment perspective, and to the best of my understanding there is no need for the app to access host system Java execution engines or JAVA related paths.

The app creates and maintains a file-store for the imported images and created text files, with a database to enable certain relationships between the images and text files to be maintained. There are import, export and backup functionality inbuilt to enable the user to manage and catalogue a significantly large number of images.

It also has the ability to email images to recipients using an internal email functionality.

The Users home directory is determined within the application at run-time as required by the JavaFX system call:
String directory = System.getProperty(“user.home”) ;

Sub-directories should be created (are successfully created in devmode) in the users real $HOME directory on first startup, some resources are created on first startup and some copied from the App’s compiled resources into these user sub-directories. This appears to be working correctly, however the app crashes before reaching that stage when in Strict mode.

The App is started by a IDE generated shell script. The IDE is IntelliJ IDEA Community edition.

The script (called photonotebook) reads as follows:
//==============

#!/bin/sh
DIR="${0%/*}"
“$DIR/java” -p “$DIR/…/app” -m PhotoNoteBook/com.dryjointproductions.photonotebook.PhotoNoteBook “$@”

//==============

Starting the snap gives the following error:
//==============

Loading library prism_es2 from resource failed: java.lang.UnsatisfiedLinkError: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: failed to map segment from shared object

It would appear that the snap is successfully creating /home/alan/.openjfx/cache/11.0.2 and adding some links to shared object files (.so files), and then failing to read them back when required.

the relevant part of the Java stack trace error message is:

Graphics Device initialization failed for :  es2, sw
Error initializing QuantumRenderer: no suitable pipeline found
java.lang.RuntimeException: java.lang.RuntimeException: Error initializing QuantumRenderer: no suitable pipeline found
   at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer.getInstance(Unknown Source)

QuantumRenderer is requesting access to /home/alan/.openjfx/cache/11.0.2/libprism_es2.so and other files, which is being denied by AppArmor.

//=============
The personal-files interface has been included and manually connected, and examination of var/lib/snapd/apparmor/profiles/snap.photonotebook.photonotebook shows:

# Description: Can access specific personal files or directories in the 
# users's home directory.
# This is restricted because it gives file access to arbitrary locations.
owner "@{HOME}/.openjfx{,/,/**}" rwkl,


# Allow read-access on /home/ for navigating to other parts of the
 # filesystem. While this allows enumerating users, this is already allowed
 # via /etc/passwd and getent.
 @{HOMEDIRS}/ r,

 # Allow read-access to / for navigating to other parts of the filesystem.
 / r,


# Description: Can access non-hidden files in user's $HOME. This is restricted
# because it gives file access to all of the user's $HOME.

# Note, @{HOME} is the user's $HOME, not the snap's $HOME

# Allow read access to toplevel $HOME for the user
owner @{HOME}/ r,

# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
owner @{HOME}/[^s.]**             rwklix,
owner @{HOME}/s[^n]**             rwklix,
owner @{HOME}/sn[^a]**            rwklix,
owner @{HOME}/sna[^p]**           rwklix,
owner @{HOME}/snap[^/]**          rwklix,

# Allow creating a few files not caught above
owner @{HOME}/{s,sn,sna}{,/} rwklix,


# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,

// a duplicate of a previous entry
# Description: Can access specific personal files or directories in the 
# users's home directory.
# This is restricted because it gives file access to arbitrary locations.
owner "@{HOME}/.openjfx{,/,/**}" rwkl,

//=================

snap connections shows:

personal-files photonotebook:openjfx :personal-files manual

//==============

snapcraft.yaml:

name: photonotebook
title: PhotoNoteBook
version: '1'
summary: The digital photography library manager and notebook 
license: Proprietary
description: PhotoNoteBook is a digital photograph library manager enabling collections of images and the making of notes and memo's for the collections and the photographs. 
icon: photonotebook.png 
confinement: strict
grade: stable
base: core18

plugs:
 openjfx:
   interface:  personal-files
   write: [ $HOME/.openjfx ]
     
apps:
 photonotebook:
   extensions:
     - gnome-3-28
   plugs: [desktop, desktop-legacy, wayland, unity7, unity8, x11, opengl, removable-media, optical-drive, home, openjfx]
   command: bin/photonotebook


parts:
 photonotebook:
   plugin: dump
   source: ./photonotebook/
   stage-packages: [libfreetype6, libpng16-16, libx11-6, libxext6, libxi6, libxrender1, libxtst6, libasound2 ]

//===============

SNAP_CONFINE_DEBUG=1 snap run photonotebook returns:

DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.photonotebook.photonotebook
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/core/9436/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/photonotebook.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope photonotebook, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: photonotebook
DEBUG: snappy_udev_init
DEBUG: setup_devices_cgroup
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/cgroup.procs 11303
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/devices.deny a
DEBUG: run_snappy_app_dev_add: /sys/class/mem/null snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/null 1:3
DEBUG: run_snappy_app_dev_add: /sys/class/mem/full snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/full 1:7
DEBUG: run_snappy_app_dev_add: /sys/class/mem/zero snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/zero 1:5
DEBUG: run_snappy_app_dev_add: /sys/class/mem/random snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/random 1:8
DEBUG: run_snappy_app_dev_add: /sys/class/mem/urandom snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/urandom 1:9
DEBUG: run_snappy_app_dev_add: /sys/class/tty/tty snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/tty 5:0
DEBUG: run_snappy_app_dev_add: /sys/class/tty/console snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/console 5:1
DEBUG: run_snappy_app_dev_add: /sys/class/tty/ptmx snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/ptmx 5:2
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 136:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 137:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 138:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 139:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 140:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 141:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 142:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 143:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia0 195:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidiactl 195:255
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia-uvm 239:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/uhid 10:239
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/net/tun 10:200
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 226:1
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 226:129
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0 226:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 226:128
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 11:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 21:1
DEBUG: forked support process 11351
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core18, revision 1754 is 7:47
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: block device of the root filesystem is 7:47
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace photonotebook
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: photonotebook
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.photonotebook
change.go:316: DEBUG: mount name:"/run/user/1000/doc/by-app/snap.photonotebook" dir:"/run/user/1000/doc" type:"none" opts:MS_BIND unparsed:"" (error: <nil>)
DEBUG: snap-update-ns finished successfully
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: moved process 11303 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.photonotebook
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 11351)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: helper process exiting
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: set_effective_identity uid:1000 (change: yes), gid:1000 (change: yes)
DEBUG: creating user data directory: /home/alan/snap/photonotebook/x1
DEBUG: requesting changing of apparmor profile on next exec to snap.photonotebook.photonotebook
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.photonotebook.photonotebook
DEBUG: read 6944 bytes from /var/lib/snapd/seccomp/bpf//snap.photonotebook.photonotebook.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG:  argv[1] = photonotebook
DEBUG: umask restored to  022
DEBUG: working directory restored to /home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux
/snap/photonotebook/x1/bin
HOME: /home/alan/snap/photonotebook/x1
Loading library prism_es2 from resource failed: java.lang.UnsatisfiedLinkError: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: failed to map segment from shared object
java.lang.UnsatisfiedLinkError: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: /home/alan/.openjfx/cache/11.0.2/libprism_es2.so: failed to map segment from shared object
   at java.base/java.lang.ClassLoader$NativeLibrary.load0(Native Method)

// there follows a java stack trace, which includes:

Graphics Device initialization failed for :  es2, sw
Error initializing QuantumRenderer: no suitable pipeline found
java.lang.RuntimeException: java.lang.RuntimeException: Error initializing QuantumRenderer: no suitable pipeline found
   at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer.getInstance(Unknown Source)

QuantumRenderer is requesting access to /home/alan/.openjfx/cache/11.0.2/libprism_es2.so and other files, which is being denied by AppArmor.

//=================
journalctl -e --no-pager | grep DENIED returns:

Jul 06 10:46:15 Dalek audit[11387]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/11387/mountinfo" pid=11387 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 06 10:46:15 Dalek kernel: audit: type=1400 audit(1594028775.659:175): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/11387/mountinfo" pid=11387 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 06 10:46:15 Dalek audit[11387]: AVC apparmor="DENIED" operation="file_mmap" profile="snap.photonotebook.photonotebook" name="/home/alan/.openjfx/cache/11.0.2/libprism_es2.so" pid=11387 comm="QuantumRenderer" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jul 06 10:46:15 Dalek kernel: audit: type=1400 audit(1594028775.919:176): apparmor="DENIED" operation="file_mmap" profile="snap.photonotebook.photonotebook" name="/home/alan/.openjfx/cache/11.0.2/libprism_es2.so" pid=11387 comm="QuantumRenderer" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jul 06 10:46:15 Dalek audit[11387]: AVC apparmor="DENIED" operation="file_mmap" profile="snap.photonotebook.photonotebook" name="/home/alan/.openjfx/cache/11.0.2/libprism_sw.so" pid=11387 comm="QuantumRenderer" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jul 06 10:46:15 Dalek kernel: audit: type=1400 audit(1594028775.931:177): apparmor="DENIED" operation="file_mmap" profile="snap.photonotebook.photonotebook" name="/home/alan/.openjfx/cache/11.0.2/libprism_sw.so" pid=11387 comm="QuantumRenderer" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

//=================

it would be really helpful if you could properly quote all your pasted info by adding three backticks above and below the pasted content, else the paste is completely unreadable …

sorry … backticks?
Alan

backticks: ```

add a block of three like:

```
my pasted log output, snapcraft.yaml, config file or code
```

else your paste gets interpreted as markdown by the forum software and you end up with random formatting blocks which make the pasted code completely unreadable …

OK! I’ll try and edit the post!

cheers
Alan

Ogra,
Does that work? It does seem better to me!

cheers
Alan

1 Like

yes, a lot better :slight_smile:

1 Like

what does:

snap connections photonotebook

show … did you connect the openjfx interface yet (it will definitely not auto-connect by default) ?

Yes:

snap connections shows:

personal-files photonotebook:openjfx :personal-files manual

//==============

well, the personal files interface only grants read (mask=“r”) and write (mask=“w”) access … your app is trying to memory map the lib (mask=“m”), i suspect that wont work.

what you could do is to copy (which only requires read access) the dir content to $SNAP_USER_DATA (/home/alan/snap/photonotebook/current/) with a command-chain script and use it from there …

hmmmm… assuming I could do that, I’m not sure how I persuade the java components to access the copied library rather than the default … I can’t get my head around is why the java components are using the users $HOME rather than the snap $HOME …

Alan

perhaps because java doesnt read $HOME but does pull it from a getent() of the passwd file ?

possibly, but there is nothing I can do to alter the javafx library files. That’s with the OpenJFX project.
is Classic not a realistic option?

I wonder which is the worse security risk - allowing a memory map of the personal file, or going classic for the whole app?

well, on any “normal” java app that you start via a java /path/to/jar call you can do something like:

java -Duser.home=/home/user/snap/snapname/current /path/to/jar

not sure how you’d do this with something like photonotebook … but i’d be surprised if there is not some kind of setting to set a search path for openjfx

I’m not sure it’s using a search path to find the .openjfx cache, and I’ve been through the JAVAFX documentation trying to find if the .openjfx can be relocated … no luck … I’ll have a go with the -D= option as you suggest and see if it works!

cheers
Alan

I used the -D option as you suggested

"$DIR/java" -Duser.home=/home/user/snap/photonotebook/current  -p "$DIR/../app" -m PhotoNoteBook/com.dryjointproductions.photonotebook.PhotoNoteBook  "$@"

prior to launching java the following are set

$DIR = /snap/photonotebook/x1/bin
$HOME = /home/alan/snap/photonotebook/x1

startup crash has changed:

Loading library prism_es2 from resource failed: java.io.IOException: Can not create cache at /home/user/snap/photonotebook/current/.openjfx/cache/11.0.2

SNAP_CONFINE_DEBUG=1 snap run photonotebook

DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.photonotebook.photonotebook
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/core/9436/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/photonotebook.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope photonotebook, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: photonotebook
DEBUG: snappy_udev_init
DEBUG: setup_devices_cgroup
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/cgroup.procs 25814
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/devices.deny a
DEBUG: run_snappy_app_dev_add: /sys/class/mem/null snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/null 1:3
DEBUG: run_snappy_app_dev_add: /sys/class/mem/full snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/full 1:7
DEBUG: run_snappy_app_dev_add: /sys/class/mem/zero snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/zero 1:5
DEBUG: run_snappy_app_dev_add: /sys/class/mem/random snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/random 1:8
DEBUG: run_snappy_app_dev_add: /sys/class/mem/urandom snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/urandom 1:9
DEBUG: run_snappy_app_dev_add: /sys/class/tty/tty snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/tty 5:0
DEBUG: run_snappy_app_dev_add: /sys/class/tty/console snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/console 5:1
DEBUG: run_snappy_app_dev_add: /sys/class/tty/ptmx snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/ptmx 5:2
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 136:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 137:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 138:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 139:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 140:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 141:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 142:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 143:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia0 195:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidiactl 195:255
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia-uvm 239:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia-modeset 195:254
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/uhid 10:239
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/net/tun 10:200
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 226:1
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 226:129
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0 226:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 226:128
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 11:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 21:1
DEBUG: forked support process 25863
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core18, revision 1754 is 7:47
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: block device of the root filesystem is 7:47
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace photonotebook
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: photonotebook
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.photonotebook
change.go:316: DEBUG: mount name:"/run/user/1000/doc/by-app/snap.photonotebook" dir:"/run/user/1000/doc" type:"none" opts:MS_BIND unparsed:"" (error: <nil>)
DEBUG: snap-update-ns finished successfully
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: moved process 25814 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.photonotebook
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 25863)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: helper process exiting
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: set_effective_identity uid:1000 (change: yes), gid:1000 (change: yes)
DEBUG: creating user data directory: /home/alan/snap/photonotebook/x1
DEBUG: requesting changing of apparmor profile on next exec to snap.photonotebook.photonotebook
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.photonotebook.photonotebook
DEBUG: read 6944 bytes from /var/lib/snapd/seccomp/bpf//snap.photonotebook.photonotebook.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG:  argv[1] = photonotebook
DEBUG: umask restored to  022
DEBUG: working directory restored to /home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux
/snap/photonotebook/x1/bin
HOME: /home/alan/snap/photonotebook/x1
Loading library prism_es2 from resource failed: java.io.IOException: Can not create cache at /home/user/snap/photonotebook/current/.openjfx/cache/11.0.2
java.io.IOException: Can not create cache at /home/user/snap/photonotebook/current/.openjfx/cache/11.0.2
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.cacheLibrary(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.installLibraryFromResource(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibraryFromResource(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibraryInternal(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibrary(Unknown Source)
	at javafx.graphics/com.sun.prism.es2.ES2Pipeline.lambda$static$0(Unknown Source)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.prism.es2.ES2Pipeline.<clinit>(Unknown Source)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Unknown Source)
	at javafx.graphics/com.sun.prism.GraphicsPipeline.createPipeline(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.init(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Loading library prism_sw from resource failed: java.io.IOException: Can not create cache at /home/user/snap/photonotebook/current/.openjfx/cache/11.0.2
java.io.IOException: Can not create cache at /home/user/snap/photonotebook/current/.openjfx/cache/11.0.2
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.cacheLibrary(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.installLibraryFromResource(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibraryFromResource(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibraryInternal(Unknown Source)
	at javafx.graphics/com.sun.glass.utils.NativeLibLoader.loadLibrary(Unknown Source)
	at javafx.graphics/com.sun.prism.sw.SWPipeline.lambda$static$0(Unknown Source)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.prism.sw.SWPipeline.<clinit>(Unknown Source)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Unknown Source)
	at javafx.graphics/com.sun.prism.GraphicsPipeline.createPipeline(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.init(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Graphics Device initialization failed for :  es2, sw
Error initializing QuantumRenderer: no suitable pipeline found
java.lang.RuntimeException: java.lang.RuntimeException: Error initializing QuantumRenderer: no suitable pipeline found
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer.getInstance(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.init(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.getToolkit(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.startup(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.startup(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.startToolkit(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplicationWithArgs(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplication(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at java.base/sun.launcher.LauncherHelper$FXHelper.main(Unknown Source)
Caused by: java.lang.RuntimeException: Error initializing QuantumRenderer: no suitable pipeline found
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.init(Unknown Source)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumRenderer$PipelineRunnable.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Exception in thread "main" java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at java.base/sun.launcher.LauncherHelper$FXHelper.main(Unknown Source)
Caused by: java.lang.RuntimeException: No toolkit found
	at javafx.graphics/com.sun.javafx.tk.Toolkit.getToolkit(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.startup(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.startup(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.startToolkit(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplicationWithArgs(Unknown Source)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplication(Unknown Source)
	... 5 more

journalctl -e --no-pager | grep DENIED

Jul 06 15:00:43 Dalek audit[26037]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/26037/mountinfo" pid=26037 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek kernel: audit: type=1400 audit(1594044043.447:4057): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/26037/mountinfo" pid=26037 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek audit[26037]: AVC apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek audit[26037]: AVC apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek kernel: audit: type=1400 audit(1594044043.691:4058): apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek kernel: audit: type=1400 audit(1594044043.691:4059): apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek audit[26037]: AVC apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek audit[26037]: AVC apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek kernel: audit: type=1400 audit(1594044043.699:4060): apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 06 15:00:43 Dalek kernel: audit: type=1400 audit(1594044043.699:4061): apparmor="DENIED" operation="mkdir" profile="snap.photonotebook.photonotebook" name="/home/user/" pid=26037 comm="QuantumRenderer" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

snapcraft.yaml:

title: PhotoNoteBook
version: '1'
summary: The digital photography library manager and notebook 
license: Proprietary
description: PhotoNoteBook is a digital photograph library manager enabling collections of images and the making of notes and memo's for the collections and the photographs. 
icon: photonotebook.png 
confinement: strict
grade: stable
base: core18

plugs:
  openjfx:
    interface:  personal-files
    write: [ $HOME/.openjfx ]
      
apps:
  photonotebook:
    extensions:
      - gnome-3-28
    plugs: [desktop, desktop-legacy, wayland, unity7, unity8, x11, opengl, removable-media, optical-drive, home, openjfx]
    command: bin/photonotebook


parts:
  photonotebook:
    plugin: dump
    source: ./photonotebook/
    stage-packages: [libfreetype6, libpng16-16, libx11-6, libxext6, libxi6, libxrender1, libxtst6, libasound2 ]

I tried “common” as well

Loading library prism_es2 from resource failed: java.io.IOException: Can not create cache at /home/user/snap/photonotebook/common/.openjfx/cache/11.0.2
java.io.IOException: Can not create cache at /home/user/snap/photonotebook/common/.openjfx/cache/11.0.2

the rest is pretty similar …

try using

-Duser.home=$SNAP_USER_DATA

(i guess your system does not actually have an account called “user” :slight_smile: )

1 Like

Convincing the application to properly use ~/snap/your-snap/current is the right approach. It would be possible for you to work around this with personal-files by having /home/alan/.openjfx/cache be a symlink to ~/snap/your-snap/current/.openjfx/cache (or similar) and this would ‘work’, but the problem is that your snap is not the owner of $HOME/.openjfx and so our processes would not allow this interface to be auto-connected (or perhaps even used) since this access would allow sandbox escape via writing a .so file that an unconfined javafx application could pickup.

1 Like

DOH! I deserve a slap on the wrist for that one! :wink:

correcting the -D option for a real path, and for $SNAP_USER_DATA allows the app to start, and I can import photographs from my own directory on my local disk.

However a new problem is that I cannot see mapped drives or usb devices on the file manager … so cannot import / export photos …

make sure the removable-media interface is connected, that gives you access to /media (where all usb devices get auto-mounted by default) and /mnt (for admin-mounted/fstab-mounted drives) …