PixelTaken 0.5.4b by JoinToIT

OleksandrBychek · January 6, 2024, 7:37pm

I have applications, and in strict mode I have a problem accessing dbus, could you review the classic mode.

alexmurray · January 8, 2024, 4:12am

Dbus access is provided by the dbus-interface - and so classic confinement should not be needed.

Can you please provide details on how this existing interface does not allow the access your snap requires?

OleksandrBychek · January 8, 2024, 8:23am

I’m using GDBusProxy to access org.freedesktop.portal.Desktop, but I get access denied from AppArmor

I have the dbus interface specified in my snapcraft

I also tried: process-control, system-observe, desktop, desktop-legacy And I configured the interface to read/write the /run/user/1000 directory, but this did not give any results

yvs · January 8, 2024, 11:40pm

probably it’d be helpful (not sure what kind of portal is there): facing recently DBus error “GDBus.Error:org.freedesktop.portal.Error.NotAllowed: This call is not available inside the sandbox.” is resolved in my case by adding “network-status” to snapcraft.yaml plugs

OleksandrBychek · January 9, 2024, 8:21am

Tried adding all the plugins with the network: - network - network-bind - network-status The error I get: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type=“method_call”, sender=":1.137" (uid=1000 pid=90608 comm="/snap/pixeltaken/x1/pixeltaken " label=“snap.pixeltaken.pixeltaken (enforce)”) interface=“org.freedesktop.DBus.Peer” member=“Ping” error name="(unset)" requested_reply=“0” destination=":1.82" (uid=1000 pid=87588 comm="/usr/libexec/xdg-desktop-portal " label=“unconfined”)

jslarraz · January 11, 2024, 3:21pm

Hi @OleksandrBychek,

If I’m right, you need the following apparmor rule to allow the ping message:

dbus (send)
     bus=session
     path=/org/freedesktop/portal/desktop
     interface=org.freedesktop.DBus.Peer
     member=Ping
     peer=(label=unconfined),

However, after a quick search I couldn’t find any existing interface granting it.

Maybe you can try to remove calls to the Ping method in your code if they are not required by the application to work. Otherwise, I would suggest checking locally that this rule fixes the AccessDenied and getting in touch with the snapd team and discuss the issue with them further (e.g. the possibility of solving this issue by adding this rule to the desktop interface).

OleksandrBychek · January 12, 2024, 11:56am

Hi @jslarraz ,

You are right, without Peer other dbus methods work. Thank you!