QtWebEngine blocked by AppArmor


#1

Our app uses QtWebEngine version 5.11.2 which we recompile by ourselves.
However, it seems that Chromium (which is bundled into QtWebEngine) is blocked by AppArmor:

= AppArmor =
Time: Sep 19 10:30:05
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/sys/devices/pci0000:00/0000:00:17.0/resource" pid=2918 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/pci0000:00/0000:00:17.0/resource (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:17.0/resource'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/resource'

We can fix this problem with:

snap connect webots:hardware-observe

However, it’s a pity to request a auto-connect only for that.

I don’t know why QtWebEngine tries to read this PCI bus, but that seems unnecessary in our case (we don’t use webcams or other PCI related hardware in our application).

Are others experiencing the same problem with QtWebEngine?
Is there a recommended way to get a strictly confined app run with QtWebEngine without the need to auto-connect hardware-observe?


#2

Does your app work regardless of the denial by apparmor? If your app fails to work, then you will need to connect or request autoconnection of the interface. If your app works anyway, then you can ignore the denial messages.


#3

Unfortunately, it fails if I don’t connect the hardware-observe interface. So I guess I have no other choice than applying for an auto-connect of this hardware-observe interface. That’s a pity as we simply use the default QtWebEngine from Qt 5 to display some HTML5 pages, which is a pretty common library…


#4

I just tried with the latest official version of QtWebEngine, i.e., 5.13.1, which I didn’t recompiled. I used the binaries provided by Qt, but I still have the same problem. I can’t believe nobody4 had the same problem. Is it really impossible to distribute a snap using QtWebEngine with strict confinment?


#5

:champagne: I found the solution: with the latest version of QtWebEngine (e.g., 5.13.1), I simply removed libpci from my snap and thus QtWebEngine won’t be able to load and use it and will silently skip the PCI scanning stuff, so the problem is fixed.


#6

Could you share your snapcraft.yml? I’m struggling with QtWebEngine and in general using newer versions of Qt.


#7

Sure, it’s here: https://github.com/cyberbotics/webots-snap/blob/master/snapcraft.yaml
Note that we use Qt 5.13.1 from the official distribution and bundle it within the snap.