QtWebEngine blocked by AppArmor

omichel · September 19, 2019, 8:37am

Our app uses QtWebEngine version 5.11.2 which we recompile by ourselves.
However, it seems that Chromium (which is bundled into QtWebEngine) is blocked by AppArmor:

= AppArmor =
Time: Sep 19 10:30:05
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/sys/devices/pci0000:00/0000:00:17.0/resource" pid=2918 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/pci0000:00/0000:00:17.0/resource (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:17.0/resource'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/resource'

We can fix this problem with:

snap connect webots:hardware-observe

However, it’s a pity to request a auto-connect only for that.

I don’t know why QtWebEngine tries to read this PCI bus, but that seems unnecessary in our case (we don’t use webcams or other PCI related hardware in our application).

Are others experiencing the same problem with QtWebEngine?
Is there a recommended way to get a strictly confined app run with QtWebEngine without the need to auto-connect hardware-observe?

lucyllewy · September 19, 2019, 1:12pm

Does your app work regardless of the denial by apparmor? If your app fails to work, then you will need to connect or request autoconnection of the interface. If your app works anyway, then you can ignore the denial messages.

omichel · September 19, 2019, 2:01pm

Unfortunately, it fails if I don’t connect the hardware-observe interface. So I guess I have no other choice than applying for an auto-connect of this hardware-observe interface. That’s a pity as we simply use the default QtWebEngine from Qt 5 to display some HTML5 pages, which is a pretty common library…

omichel · September 24, 2019, 6:44am

I just tried with the latest official version of QtWebEngine, i.e., 5.13.1, which I didn’t recompiled. I used the binaries provided by Qt, but I still have the same problem. I can’t believe nobody4 had the same problem. Is it really impossible to distribute a snap using QtWebEngine with strict confinment?

omichel · September 25, 2019, 9:08am

I found the solution: with the latest version of QtWebEngine (e.g., 5.13.1), I simply removed libpci from my snap and thus QtWebEngine won’t be able to load and use it and will silently skip the PCI scanning stuff, so the problem is fixed.

danieleds · September 26, 2019, 4:28pm

Could you share your snapcraft.yml? I’m struggling with QtWebEngine and in general using newer versions of Qt.

omichel · September 27, 2019, 7:00am

Sure, it’s here: https://github.com/cyberbotics/webots-snap/blob/master/snapcraft.yaml
Note that we use Qt 5.13.1 from the official distribution and bundle it within the snap.