I managed to get a debug setup working. For anyone trying this, this is what works:
install dbus-tests
and replace your /usr/bin/dbus-daemon
with a shell script (stash the original binary as dbus-daemon.real
:
#!/bin/sh
export DBUS_VERBOSE=0
exec /usr/lib/dbus-1.0/debug-build/bin/dbus-daemon "$@"
Now reboot your system and wait for gdm to start. Don’t log in just yet (in gdm). Use ssh to log in remotely and flip DBUS_VERBOSE=1
. Log in in gdm now. Doing this naively will probably fail for you (unless you have a very fast machine) as the amount of logging is so huge you will hit dbus message response timeouts and things will fall apart.
Disable things that like to chatter over dbus, in my case I just disabled wifi.
Open a terminal and having installed a snap (I used the gimp snap) run:
snap run --shell gimp
In another terminal start collecting logs with, journalctl -f | tee bug.log
In the first terminal that is now waiting in the gimp execution environment run:
xdg-open http://example.org
Wait for it to fail and then interrupt journalctl.
This is the log I got: https://paste.ubuntu.com/26393163/
And @jdstrand already found the interesting part:
19:12 < jdstrand> sty 15 19:10:15 kaedwen dbus-daemon[2413]: 2413: 0x7f86619c78c0: 1516039815.743271 [bus/activation.c(1803):bus_activation_activate_service] activation not authorized:
org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.74" (uid=1000 pid=4280
comm="dbus-send --print-reply --session --dest=io.snapcr" label="snap.gimp.gimp (enforce)") interface="io.
It looks like dbus is not correctly looking up the peer label.
EDIT: CC @tyhicks who wrote the apparmor patch for dbus in bionic.
For some context, the patch header is this:
From: Tyler Hicks <tyhicks@canonical.com>
Date: Fri, 15 Aug 2014 13:37:15 -0500
Subject: Add DBus method to return the AA context of a connection
Allows the AppArmor label that is attached to a D-Bus connection to be
queried using the unique connection name.
For example,
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus \
org.freedesktop.DBus.GetConnectionAppArmorSecurityContext string::1.4
method return sender=org.freedesktop.DBus -> dest=:1.50 reply_serial=2
string "/usr/sbin/cupsd"
[Altered by Simon McVittie: survive non-UTF-8 contexts which
would otherwise be a local denial of service, except that Ubuntu
inherits a non-fatal warnings patch from Debian; new commit message
taken from the Ubuntu changelog; do not emit unreachable code if
AppArmor is disabled.]
Forwarded: not-needed