Screen-inhibit-control denial - interface broken

lucyllewy · February 23, 2018, 1:13pm

I’ve built a snap of mame using @popey’s version with some minor modifications. I’ve got the denials down to a single entry which claims it will be fixed by connecting screen-inhibit-control. The crux is, however, I already have that plug connected so somehow either snappy-debug is wrong to advise it, or the interface is broken.

= AppArmor =
Time: Feb 23 13:05:09
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gnome/ScreenSaver" interface="org.gnome.ScreenSaver" member="SimulateUserActivity" mask="send" name="org.gnome.ScreenSaver" pid=15430 label="snap.mame.mame" peer_pid=5470 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'screen-inhibit-control' to 'plugs'

output of snap interfaces mame:

Slot                     Plug
:hardware-observe        linux-steam-integration,makemkv,mame,unvanquished
:home                    audacity,chromium,corebird,discord,get-iplayer,gimp,gitter-desktop,gnome-logs,handbrake-jz,inkscape,irccloud-desktop,linux-steam-integration,makemkv,mame,mattermost-desktop,mkvtoolnix-jz,mumble,newsboat,spotify,telegram-desktop,vlc
:network                 azure-cli,boa,chromium,cncredalert,corebird,cryptoinfo,cryptowatch,discord,get-iplayer,gitter-desktop,gnome-logs,guessita,handbrake-jz,hdhomerun-config,irccloud-desktop,linux-steam-integration,lxd,mame,mattermost-desktop,mumble,newsboat,spotify,supertuxkart,telegram-desktop,tinc,tvheadend,tvhproxy,vlc
:network-bind            cncredalert,django-gunicorn,get-iplayer,gitter-desktop,irccloud-desktop,mame,mattermost-desktop,mkvtoolnix-jz,nginx-hda-bundle,telegram-desktop,tinc,tvheadend,tvhproxy,vlc
:opengl                  boa,chromium,cncredalert,corebird,discord,gimp,gitter-desktop,irccloud-desktop,linux-steam-integration,makemkv,mame,mattermost-desktop,mumble,spotify,supertuxkart,unvanquished,vlc
:optical-drive           makemkv,mame,vlc
:process-control         cncredalert,makemkv,mame
:pulseaudio              audacity,boa,chromium,cncredalert,corebird,discord,gitter-desktop,irccloud-desktop,linux-steam-integration,mame,mattermost-desktop,mumble,spotify,supertuxkart,telegram-desktop,unvanquished,vlc
:screen-inhibit-control  chromium,discord,linux-steam-integration,mame,unvanquished,vlc
:unity7                  boa,chromium,corebird,discord,gimp,gitter-desktop,gnome-logs,inkscape,irccloud-desktop,linux-steam-integration,mame,mattermost-desktop,mumble,spotify,telegram-desktop,vlc
-                        mame:joystick
-                        mame:mount-observe

As you can see screen-inhibit-control is correctly connected so this denial should not be happening. The interface must be broken then.

cc/ @jdstrand

ogra · February 23, 2018, 1:14pm

i think there was a fix recently, can you try with a newer core snap (edge) ?

https://github.com/snapcore/snapd/pull/4255

lucyllewy · February 23, 2018, 1:15pm

Just to document, in case you’re correct that a newer core fixes it, my current version is:

snap    2.31.1+18.04
snapd   2.31.1+18.04
series  16
ubuntu  18.04
kernel  4.13.0-32-generic

I’ll go test a newer core now… please hold, caller. Your custom is important to us…

lucyllewy · February 23, 2018, 1:19pm

Note, I didn’t reboot after refreshing core… (should I have?)

new core:

snap    2.31.1+git587.d3e52a0~ubuntu16.04.1
snapd   2.31.1+git587.d3e52a0~ubuntu16.04.1
series  16
ubuntu  18.04
kernel  4.13.0-32-generic

Still has a denial:

= AppArmor =
Time: Feb 23 13:17:39
Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gnome/ScreenSaver" interface="org.gnome.ScreenSaver" member="SimulateUserActivity" mask="send" name="org.gnome.ScreenSaver" pid=22032 label="snap.mame.mame" peer_pid=5470 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'screen-inhibit-control' to 'plugs'

zyga-snapd · February 23, 2018, 1:29pm

We allow this (edited)

dbus (send)
    bus=session
    path=/{,org/freedesktop/,org.gnome/}ScreenSaver
    interface=org.freedesktop.ScreenSaver
    member={Inhibit,UnInhibit,SimulateUserActivity}
    peer=(label=unconfined),

As you can see the path is wrong, it should say org/gnome instead of org.gnome

jdstrand · February 23, 2018, 4:18pm

https://github.com/snapcore/snapd/pull/4733