Hello,
I’ve installed snap chromium (Chromium 125.0.6422.60 snap) on my Ubuntu (22.04.4 LTS) computer to run a nightly web site scraping task. The task erase the profile to start from a fresh profile and runs chromium without a window. It uses the debug interface.
The task is equivalent to python selenium but it is written in go and uses go-rod.
The task runs well when executed manually from the command line, but fails with an error when executed with cron. It seam to be related to snap permissions. I like the sandboxing of snap and want to simply extend the permissions, but I have no idea how to achieve that. I only have an ssh access to the host.
This is the error message I get when starting my task with cron:
panic: [launcher] Failed to get the debug url: /system.slice/cron.service is not a snap cgroup
I also have many audit warnings related to chromium. This is what logwatch shows me.
--------------------- Kernel Begin ------------------------
1 Time(s): exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'
1 Time(s): audit: type=1107 audit(1716356559.928:116): pid=832 uid=106 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=6723 label="snap.chromium.chromium"
1 Time(s): audit: type=1326 audit(1716356559.692:113): auid=1000 uid=1000 gid=1000 ses=182 subj=snap.chromium.chromium pid=6778 comm="chrome" exe="/snap/chromium/2859/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e syscall=330 compat=0 ip=0x7f05c31dbf6b code=0x50000
1 Time(s): audit: type=1326 audit(1716356559.696:114): auid=1000 uid=1000 gid=1000 ses=182 subj=snap.chromium.chromium pid=6777 comm="chrome" exe="/snap/chromium/2859/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e syscall=330 compat=0 ip=0x7fb695bf5f6b code=0x50000
1 Time(s): audit: type=1326 audit(1716356559.704:115): auid=1000 uid=1000 gid=1000 ses=182 subj=snap.chromium.chromium pid=6778 comm="chrome" exe="/snap/chromium/2859/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e syscall=444 compat=0 ip=0x7f05c31d388d code=0x50000
1 Time(s): audit: type=1400 audit(1716328801.977:103): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=3840 comm="cupsd" capability=12 capname="net_admin"
1 Time(s): audit: type=1400 audit(1716328804.393:104): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=3858 comm="cups-browsed" capability=23 capname="sys_nice"
1 Time(s): audit: type=1400 audit(1716355328.092:105): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5707 comm="snap-confine" capability=12 capname="net_admin"
1 Time(s): audit: type=1400 audit(1716355328.092:106): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5707 comm="snap-confine" capability=38 capname="perfmon"
1 Time(s): audit: type=1400 audit(1716355420.907:107): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5906 comm="snap-confine" capability=12 capname="net_admin"
1 Time(s): audit: type=1400 audit(1716355420.907:108): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5906 comm="snap-confine" capability=38 capname="perfmon"
1 Time(s): audit: type=1400 audit(1716355420.999:109): apparmor="DENIED" operation="open" profile="snap-update-ns.chromium" name="/usr/local/share/" pid=5920 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
1 Time(s): audit: type=1400 audit(1716355421.007:110): apparmor="DENIED" operation="open" profile="snap-update-ns.chromium" name="/var/lib/snapd/" pid=5920 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
1 Time(s): audit: type=1400 audit(1716355421.011:111): apparmor="DENIED" operation="open" profile="snap-update-ns.chromium" name="/var/lib/snapd/" pid=5920 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
1 Time(s): audit: type=1400 audit(1716355421.011:112): apparmor="DENIED" operation="open" profile="snap-update-ns.chromium" name="/var/lib/snapd/" pid=5920 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:117): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:118): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:119): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/icd.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:120): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/icd.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:121): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
1 Time(s): audit: type=1400 audit(1716356560.428:122): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=6794 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
---------------------- Kernel End -------------------------
I know that I could fix all these by installing chromium with apt, but I would prefer avoiding it if it’s possible.