I was chillaxing, max relaxing at my desk yesterday when I started to be spammed with notifications from aa-notify
about Spotify being denied various things. A sample from dmesg
:
[Tue Feb 18 09:16:03 2020] audit: type=1400 audit(1582017346.757:15155): apparmor="DENIED" operation="mknod" profile="snap.spotify.spotify" name="/home/laney/snap/spotify/36/.config/spotify/Users/laney-user/pending-messages.tmp.8" pid=436311 comm=436F726520546872656164 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Tue Feb 18 09:16:03 2020] audit: type=1400 audit(1582017346.757:15156): apparmor="DENIED" operation="mknod" profile="snap.spotify.spotify" name="/home/laney/snap/spotify/36/.config/spotify/Users/laney-user/pending-messages.tmp.9" pid=436311 comm=436F726520546872656164 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Tue Feb 18 09:18:25 2020] kauditd_printk_skb: 94 callbacks suppressed
[Tue Feb 18 09:18:25 2020] audit: type=1107 audit(1582017489.450:15251): pid=3131 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="state" mask="send" name=":1.19" pid=3361009 label="snap.spotify.spotify" peer_pid=3134 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
[Tue Feb 18 09:18:39 2020] audit: type=1107 audit(1582017503.090:15252): pid=3131 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="state" mask="send" name=":1.19" pid=3361009 label="snap.spotify.spotify" peer_pid=3134 peer_label="unconfined"
Several of these per second whenever it tried to do anything other than continue playing a track - e.g. change to the next track (show a notification — which it couldn’t do any more).
Now I can see from snap changes
that there was indeed a refresh yesterday:
590 Done yesterday at 13:06 GMT yesterday at 13:08 GMT Auto-refresh snap "spotify"
And indeed the spamming went away when I restarted the application.
Was it that the apparmor profiles for the old version stopped working after the refresh? I can see a revision-specific directory in there and @jamesh told me that access to these goes away when the new revision’s profiles get installed so I guess this is right and the D-Bus denials could be another instance of the same thing?
I’ve heard about refresh awareness - is the snapd position that applications need to implement this and they may be (subtly or not so) broken after a refresh and before a restart? Or is it possible to do something better here and wait until launching the new revision before applying its apparmor profiles somehow? Any plans to share? Pointers to existing discussions, plans or documentation gratefully welcomed of course.
laney@raleigh> snap --version
snap 2.43.2
snapd 2.43.2
series 16
ubuntu 20.04
kernel 5.4.0-12-generic