JAVAFX call to xdg-open fails in strict mode, works in classic mode

apdw · July 9, 2020, 10:13am

Hi,

The problem.
My application needs to start a viewer for some pdf files that is contained within the app. The pdf files are successfully copied from the JavaFX APP Jar to a SNAP based resource directory at first time startup to /home/snap/photonotebook/current/photonotebook/manuals.
However this is failing and I would be grateful for some pointers of how to solve this problem - I understand from the documentation that this approach should work

I am attempting to start a suitable system-resident document viewer application using a call to xdg-open within my apps javafx code:

File file = getmanualspath() + File.seperator + "manual.pdf" ; // (paraphrased for clarity)
String command = "xdg-open " + file.toURI() ;
Process process = Runtime.getRuntime().exec(command);

This works when operating within the IDE and in classic mode, but fails in Strict mode. It fails by not opening the resident document viewer. There is no crash or error.

my install command script is either

snap install photonotebook_1_amd64.snap --dangerous
sudo snap connect photonotebook:removable-media
sudo snap connect photonotebook:network-manager
sudo snap connect photonotebook:home
sudo snap connect photonotebook:optical-drive

or

snap install photonotebook_1_amd64.snap --classic --dangerous
sudo snap connect photonotebook:removable-media
sudo snap connect photonotebook:network-manager
sudo snap connect photonotebook:home
sudo snap connect photonotebook:optical-drive

Background
The snap is a JavaFX self contained app for the management of photographic images. It reads and writes files (.jpg, .txt) from the users file systems, including USB connected storage and devices (cameras), and network storage via the resident file system.

As the Application is self contained from a java execution environment perspective, there is no need to the app to access host system Java execution engines or paths.

The app maintain a file-store for the imported images and created text files, with a database to enable certain relationships between the images and text files to be maintained. There are import, export and backup functionality inbuilt to enable the user to manage and catalogue a significantly large number of images. This works properly in strict mode

It also has the ability to email images to recipients using its internal email functionality. This too works properly.

The Users home directory is determined within the application by the JavaFX system call, and there are no reported issues:

String directory = System.getProperty(“user.home”) ;

Sub-Directories are created in the $HOME directory on first startup and some resources are created, and some copied from the App’s pre-compiled resources into these user sub-directories.

The App is started by a IDE generated shell script. The IDE is IntelliJ IDEA Community edition.

photnotebook start script, for Strict mode created by the IDE and modified by myself:

#!/bin/sh  
DIR="${0%/*}"
"$DIR/java" -Duser.home=$SNAP_USER_DATA -p "$DIR/../app" -m PhotoNoteBook/com.dryjointproductions.photonotebook.PhotoNoteBook  "$@"

for starting in classic mode for test purposes the startup script becomes:

#!/bin/sh  
DIR="${0%/*}"
"$DIR/java" -m PhotoNoteBook/com.dryjointproductions.photonotebook.PhotoNoteBook  "$@"

however using the strict mode version of the start script still allows the document viewer to start.

my snapcraft.yaml for strict mode:

name: photonotebook
title: PhotoNoteBook
version: '1'
summary: A digital photography library manager and notebook 
license: Proprietary
description: PhotoNoteBook is a digital photograph library manager enabling collections of images and the making of notes and memo's for the collections and the photographs. 
icon: photonotebook.png 

confinement: strict
grade: stable
base: core18
 
apps:
  photonotebook:
    command: bin/photonotebook
    extensions: [gnome-3-28]
    plugs: [home,   unity7, unity8,  opengl, network, network-manager, removable-media, optical-drive ]

parts:
  photonotebook:
    plugin: dump
    source: ./photonotebook/
    stage-packages: [libfreetype6, libpng16-16, libx11-6, libxext6, libxi6, libxrender1, libxtst6, libasound2 ]

my snapcraft.yaml for classic mode:

name: photonotebook
title: PhotoNoteBook
version: '1'
summary: A digital photography library manager and notebook 
license: Proprietary
description: PhotoNoteBook is a digital photograph library manager enabling collections of images and the making of notes and memo's for the collections and the photographs. 
icon: photonotebook.png 

confinement: classic
grade: stable
base: core18
 
apps:
  photonotebook:
    command: bin/photonotebook
     
    plugs: [home,   unity7, unity8,  opengl, network, network-manager, removable-media, optical-drive ]

parts:
  photonotebook:
    plugin: dump
    source: ./photonotebook/
    stage-packages: [libfreetype6, libpng16-16, libx11-6, libxext6, libxi6, libxrender1, libxtst6, libasound2 ]

following strict mode program execution I ran the following:

journalctl -e --no-pager | grep DENIED

 
Thu Jul 09 10:35 /home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux => journalctl -e --no-pager | grep DENIED
Jul 09 10:22:34 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:34 Dalek kernel: audit: type=1400 audit(1594286554.342:356): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:35 Dalek audit[21333]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21333 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:35 Dalek kernel: audit: type=1400 audit(1594286555.022:357): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21333 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:36 Dalek audit[21361]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21361 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:36 Dalek kernel: audit: type=1400 audit(1594286556.742:358): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21361 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:37 Dalek audit[21389]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21389 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:37 Dalek kernel: audit: type=1400 audit(1594286557.302:359): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21389 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:37 Dalek audit[21422]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21422 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:37 Dalek kernel: audit: type=1400 audit(1594286557.938:360): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21422 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:45 Dalek audit[21471]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21471 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:45 Dalek kernel: audit: type=1400 audit(1594286565.975:361): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21471 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:47 Dalek audit[21562]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21562 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:47 Dalek kernel: audit: type=1400 audit(1594286567.119:362): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21562 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:47 Dalek audit[21590]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21590 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:47 Dalek kernel: audit: type=1400 audit(1594286567.395:363): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21590 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:48 Dalek audit[21618]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21618 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:48 Dalek kernel: audit: type=1400 audit(1594286568.683:364): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21618 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:56 Dalek audit[21647]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21647 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:56 Dalek kernel: audit: type=1400 audit(1594286576.495:365): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21647 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:57 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:57 Dalek kernel: audit: type=1400 audit(1594286577.067:366): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:57 Dalek audit[21703]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21703 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:57 Dalek kernel: audit: type=1400 audit(1594286577.359:367): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21703 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:22:59 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:59 Dalek kernel: audit: type=1400 audit(1594286579.315:368): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:59 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:22:59 Dalek kernel: audit: type=1400 audit(1594286579.591:369): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:00 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:00 Dalek kernel: audit: type=1400 audit(1594286580.343:370): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:00 Dalek audit[21865]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21865 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:00 Dalek kernel: audit: type=1400 audit(1594286580.711:371): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21865 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:01 Dalek audit[21893]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21893 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:01 Dalek kernel: audit: type=1400 audit(1594286581.291:372): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21893 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:01 Dalek audit[21920]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21920 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:01 Dalek kernel: audit: type=1400 audit(1594286581.935:373): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21920 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:02 Dalek audit[21953]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21953 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:02 Dalek kernel: audit: type=1400 audit(1594286582.551:374): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=21953 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:03 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:03 Dalek kernel: audit: type=1400 audit(1594286583.179:375): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:03 Dalek audit[22009]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=22009 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:03 Dalek kernel: audit: type=1400 audit(1594286583.455:376): apparmor="DENIED" operation="open" profile="snap.multipass.multipass" name="/etc/ssh/ssh_config" pid=22009 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:23:43 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:43 Dalek kernel: audit: type=1400 audit(1594286623.971:377): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:44 Dalek audit[1623]: AVC apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:23:44 Dalek kernel: audit: type=1400 audit(1594286624.247:378): apparmor="DENIED" operation="open" profile="snap.multipass.multipassd" name="/etc/ssh/ssh_config" pid=1623 comm="multipassd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 09 10:33:46 Dalek audit[1451]: USER_AVC pid=1451 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/2" interface="org.freedesktop.NetworkManager.Connection.Active" member="PropertiesChanged" name=":1.16" mask="receive" pid=1623 label="snap.multipass.multipassd" peer_pid=1507 peer_label="unconfined"
Jul 09 10:33:46 Dalek kernel: audit: type=1107 audit(1594287226.190:399): pid=1451 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/2" interface="org.freedesktop.NetworkManager.Connection.Active" member="PropertiesChanged" name=":1.16" mask="receive" pid=1623 label="snap.multipass.multipassd" peer_pid=1507 peer_label="unconfined"
Jul 09 10:33:53 Dalek audit[22656]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=22656 comm="snap-confine" capability=4  capname="fsetid"
Jul 09 10:33:53 Dalek kernel: audit: type=1400 audit(1594287233.170:401): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=22656 comm="snap-confine" capability=4  capname="fsetid"
Jul 09 10:33:55 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:33:55 Dalek kernel: audit: type=1400 audit(1594287235.398:402): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:33:56 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/if_inet6" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek kernel: audit: type=1400 audit(1594287236.554:403): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/if_inet6" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek kernel: audit: type=1400 audit(1594287236.554:404): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/ipv6_route" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek kernel: audit: type=1400 audit(1594287236.554:405): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/if_inet6" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/ipv6_route" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/net/if_inet6" pid=22828 comm="QuantumRenderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/.config/dconf/user" pid=22828 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:33:56 Dalek kernel: audit: type=1400 audit(1594287236.942:407): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/.config/dconf/user" pid=22828 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/etc/fstab" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.310:408): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.310:409): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/etc/fstab" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.310:410): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.310:411): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.814:412): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.814:413): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux/xdg-open" pid=22828 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.822:414): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux/xdg-open" pid=22828 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.838:415): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux/xdg-open" pid=22828 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.850:416): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek kernel: audit: type=1400 audit(1594287244.850:417): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux/xdg-open" pid=22828 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:04 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:05 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:05 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:05 Dalek audit[1451]: USER_AVC pid=1451 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.178" pid=22828 label="snap.photonotebook.photonotebook" peer_pid=22873 peer_label="unconfined"
Jul 09 10:34:05 Dalek audit[1451]: USER_AVC pid=1451 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.178" pid=22828 label="snap.photonotebook.photonotebook" peer_pid=22873 peer_label="unconfined"
Jul 09 10:34:25 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:25 Dalek audit[22828]: AVC apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:25 Dalek kernel: audit: type=1400 audit(1594287265.538:422): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mountinfo" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 09 10:34:25 Dalek kernel: audit: type=1400 audit(1594287265.538:423): apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/22828/mounts" pid=22828 comm=4A6176614658204170706C69636174 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I also ran the strict version program with DEBUG:

DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.photonotebook.photonotebook
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/photonotebook.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope photonotebook, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: photonotebook
DEBUG: snappy_udev_init
DEBUG: setup_devices_cgroup
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/cgroup.procs 22942
DEBUG: write_string_to_file /sys/fs/cgroup/devices/snap.photonotebook.photonotebook/devices.deny a
DEBUG: run_snappy_app_dev_add: /sys/class/mem/null snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/null 1:3
DEBUG: run_snappy_app_dev_add: /sys/class/mem/full snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/full 1:7
DEBUG: run_snappy_app_dev_add: /sys/class/mem/zero snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/zero 1:5
DEBUG: run_snappy_app_dev_add: /sys/class/mem/random snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/random 1:8
DEBUG: run_snappy_app_dev_add: /sys/class/mem/urandom snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/mem/urandom 1:9
DEBUG: run_snappy_app_dev_add: /sys/class/tty/tty snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/tty 5:0
DEBUG: run_snappy_app_dev_add: /sys/class/tty/console snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/console 5:1
DEBUG: run_snappy_app_dev_add: /sys/class/tty/ptmx snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/class/tty/ptmx 5:2
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 136:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 137:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 138:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 139:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 140:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 141:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 142:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/pts/slaves 143:*
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia0 195:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidiactl 195:255
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/nvidia-uvm 239:0
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/uhid 10:239
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /dev/net/tun 10:200
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/card1 226:1
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:01.1/0000:07:00.0/drm/renderD129 226:129
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0 226:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1 0:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128 226:128
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/block/sr0 11:0
DEBUG: run_snappy_app_dev_add: /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 snap_photonotebook_photonotebook
DEBUG: running snap-device-helper add snap_photonotebook_photonotebook /sys/devices/pci0000:00/0000:00:1f.2/ata3/host2/target2:0:0/2:0:0:0/scsi_generic/sg1 21:1
DEBUG: forked support process 22983
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core18, revision 1754 is 7:8
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: block device of the root filesystem is 7:8
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace photonotebook
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: photonotebook
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.photonotebook
change.go:316: DEBUG: mount name:"/run/user/1000/doc/by-app/snap.photonotebook" dir:"/run/user/1000/doc" type:"none" opts:MS_BIND unparsed:"" (error: <nil>)
DEBUG: snap-update-ns finished successfully
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: moved process 22942 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.photonotebook
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 22983)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: helper process exiting
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: set_effective_identity uid:1000 (change: yes), gid:1000 (change: yes)
DEBUG: creating user data directory: /home/alan/snap/photonotebook/x1
DEBUG: requesting changing of apparmor profile on next exec to snap.photonotebook.photonotebook
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.photonotebook.photonotebook
DEBUG: read 6968 bytes from /var/lib/snapd/seccomp/bpf//snap.photonotebook.photonotebook.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG:  argv[1] = photonotebook
DEBUG: umask restored to  022
DEBUG: working directory restored to /home/alan/IdeaProjects/PhotoNoteBook-V1/snapLinux
/snap/photonotebook/x1/bin

running SNAPPY-DEBUG with the strict version program gave the following:

INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Jul  9 10:41:46
Log: apparmor="DENIED" operation="open" profile="snap.photonotebook.photonotebook" name="/proc/23232/mountinfo" pid=23232 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/23232/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add 'mount-observe' to 'plugs'

= Seccomp =
Time: Jul  9 10:41:46
Log: auid=1000 uid=1000 gid=1000 ses=3 pid=23232 comm="QuantumRenderer" exe="/snap/photonotebook/x1/bin/java" sig=0 arch=c000003e 133(mknod) compat=0 ip=0x7f8c04f3586d code=0x50000
Syscall: mknod

I look forward to hearing your suggestions.

Many Thanks
Alan

jamesh · July 9, 2020, 10:32am

Do you see anything relevant printed to stderr when your program calls xdg-open? And to help debug, could you have your program print the command line it is trying to execute?

You are right that the xdg-open utility behaves a bit differently within strict confinement. Rather than launching the associated application directly, it is a proxy that asks a helper outside the sandbox to launch the app on its behalf. It looks like you should have the plugs required to allow it to work though.

ogra · July 9, 2020, 12:07pm

you probably want to add the desktop plug to your app …

apdw · July 9, 2020, 2:48pm

Hi, I tried that , but that didn’t make the difference! A realisation of my own idiocy in the coding solved the problem! I’m about to post the solution to help others if they have the same issue (to laugh at I mean ) !

cheers Alan_

apdw · July 9, 2020, 2:58pm

Hi,
Thanks to some prompting I found the solution in my coding right under my big stupid nose!

If any (or all) of the Desktop() related tests described below fail, “xdr-open” is not called.

Getting rid of the Desktop() test has the result of giving the User a set of document related Applications to choose from. I like this so much, I’m going to try and add further functionality related to xdg-open!!

   if (OSCheck.getOperatingSystemType() == OSCheck.OSType.Linux)
        {
           if (Desktop.isDesktopSupported()==true)
            {
               Desktop desktop = Desktop.getDesktop() ;
                try
                {
                    File file = new File(FileOpsUtils.getManualsDirectory() + File.separator + "manual.pdf");
                   if (desktop.isSupported(Desktop.Action.BROWSE))
                    {
                       String command = "xdg-open " + file.toURI() ;
                        Process process = Runtime.getRuntime().exec(command);
                                                           .....

Thanks for all your suggestions and help!
Alan