As of right now we cannot build any (new versions of) KDE snaps because Qt 5.10 doesn’t work with snapd.
Qt 5.10 picks up a whole bunch of newer syscalls which entirely breaks temporary file writing (and by extension config file writing, which is implemented on top of temp files).
e.g. as a current example of this:
snap install --candidate kde-frameworks-5 # new content snap with qt 5.10
snap install okular # old okular build
snap run okular
On stdout you can observe a whole bunch of errors about the broken config file handling
okular(12250)/(default) unknown: Couldn't write "/home/me/snap/okular/3/.local-16.12.3/config/session/okular_10616a6178000152655521000000081640034_1526555210_164640" . Disk full?
okular(12250)/(default) unknown: Couldn't write "/home/me/snap/okular/3/.local-16.12.3/config/okularrc" . Disk full?
and gets journal’d as
Mai 17 13:08:43 ajax audit[12518]: AVC apparmor="DENIED" operation="open" profile="snap.okular.okular" name="/etc/xdg/QtProject/qtlogging.ini" pid=12518 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mai 17 13:08:43 ajax audit[12518]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=db4b08 a1=80000 a2=1b6 a3=db4ff4 items=1 ppid=11578 pid=12518 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=2 comm="okular" exe="/snap/okular/3/usr/bin/okular" key=(null)
Mai 17 13:08:43 ajax audit: CWD cwd="/snap/okular/3"
Mai 17 13:08:43 ajax audit: PATH item=0 name="/etc/xdg/QtProject/qtlogging.ini" inode=36037702 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mai 17 13:08:43 ajax audit: PROCTITLE proctitle="okular"
Mai 17 13:08:43 ajax audit[12518]: AVC apparmor="DENIED" operation="link" info="Failed name lookup - deleted entry" error=-2 profile="snap.okular.okular" name="/home/me/snap/okular/3/.local-16.12.3/config/session/#35482886" pid=12518 comm="okular" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Mai 17 13:08:43 ajax audit[12518]: AVC apparmor="DENIED" operation="link" profile="snap.okular.okular" name="/home/me/snap/okular/3/.local-16.12.3/config/session/okular_10616a6178000152655532300000081640035_1526555323_833762" pid=12518 comm="okular" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/me/snap/okular/3/.local-16.12.3/config/session/#35482886"
Mai 17 13:08:43 ajax audit[12518]: SYSCALL arch=c000003e syscall=265 success=no exit=-2 a0=ffffff9c a1=19560c8 a2=ffffff9c a3=1988e38 items=2 ppid=11578 pid=12518 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=2 comm="okular" exe="/snap/okular/3/usr/bin/okular" key=(null)
Mai 17 13:08:43 ajax audit: CWD cwd="/snap/okular/3"
Mai 17 13:08:43 ajax audit: PATH item=0 name="/proc/self/fd/13" inode=35482886 dev=00:31 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mai 17 13:08:43 ajax audit: PATH item=1 name="/home/me/snap/okular/3/.local-16.12.3/config/session/" inode=35479841 dev=00:31 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mai 17 13:08:43 ajax audit: PROCTITLE proctitle="okular"
Mai 17 13:08:44 ajax audit[12518]: AVC apparmor="DENIED" operation="link" info="Failed name lookup - deleted entry" error=-2 profile="snap.okular.okular" name="/home/me/snap/okular/3/.local-16.12.3/config/#35482898" pid=12518 comm="okular" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Mai 17 13:08:44 ajax audit[12518]: AVC apparmor="DENIED" operation="link" profile="snap.okular.okular" name="/home/me/snap/okular/3/.local-16.12.3/config/okularrc" pid=12518 comm="okular" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/me/snap/okular/3/.local-16.12.3/config/#35482898"
Mai 17 13:08:44 ajax audit[12518]: SYSCALL arch=c000003e syscall=265 success=no exit=-2 a0=ffffff9c a1=19a5238 a2=ffffff9c a3=19a05a8 items=2 ppid=11578 pid=12518 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=2 comm="okular" exe="/snap/okular/3/usr/bin/okular" key=(null)
Mai 17 13:08:44 ajax audit: CWD cwd="/snap/okular/3"
Mai 17 13:08:44 ajax audit: PATH item=0 name="/proc/self/fd/13" inode=35482898 dev=00:31 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mai 17 13:08:44 ajax audit: PATH item=1 name="/home/me/snap/okular/3/.local-16.12.3/config/" inode=35479822 dev=00:31 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Mai 17 13:08:44 ajax audit: PROCTITLE proctitle="okular"
syscall=265
should be linkat
which is used for temporary file handling (e.g. https://github.com/qt/qtbase/blob/fe5edcee602f0ab2912bbdd1a21f4309ed7dbfd6/src/corelib/io/qtemporaryfile.cpp#L466) which, as it gets denied, results in no file writing.
This affects just about every configuration and cache file writing. For example, if you then Ctrl-O to get the open file dialog in okular you’ll be greeted with a bunch of warnings and a non-functional dialog because the IO abstraction layer doesn’t find any plugins because the plugin cache cannot be generated (also based on linkat).
There is a good chance there are other syscalls which may have trouble. e.g. I know statx
is now being used instead of lstat
, given I have no evidence of those getting denied I am going to assume they are working though ^^
This is likely also the underlying cause of Qt5 KDE integration in VLC snap is broken due to linkat() denial which as far as I know used Qt 5.10.