Telegram-desktop being denied access .Xauthority by apparmor

p0p · December 10, 2019, 12:38am

I’m installing telegram-desktop and trying to run it but it crashes just after loading taskbar icon. If I install using --devmode it’s works ok so assuming it’s the apparmor confinement that’s crashing it - logs would back this up.

Flatpak telegram-desktop also works but I’m trying to stick with snapd if I can.

System:

Operating System: Manjaro Linux 
KDE Plasma Version: 5.17.3
KDE Frameworks Version: 5.64.0
Qt Version: 5.13.2
Kernel Version: 5.3.12-1-MANJARO
OS Type: 64-bit
Processors: 8 × Intel® Core™ i7-3632QM CPU @ 2.20GHz
Memory: 15.3 GiB of RAM

snap details:

Name               Version                     Rev   Tracking  Publisher         Notes
core               16-2.42.4                   8213  stable    canonical✓        core
core18             20191126                    1279  stable    canonical✓        base
gnome-3-28-1804    3.28.0-16-g27c9498.27c9498  110   stable    canonical✓        -
gtk-common-themes  0.1-25-gcc83164             1353  stable    canonical✓        -
snapd              2.42.4                      5643  stable    canonical✓        snapd
telegram-desktop   1.8.15                      994   stable    telegram.desktop  -

apparmor

apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /var/lib/snapd/snap/core/8213/usr/lib/snapd/snap-confine
   /var/lib/snapd/snap/core/8213/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /var/lib/snapd/snap/snapd/5643/usr/lib/snapd/snap-confine
   /var/lib/snapd/snap/snapd/5643/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.core
   snap-update-ns.firefox
   snap-update-ns.telegram-desktop
   snap.core.hook.configure
   snap.firefox.firefox
   snap.telegram-desktop.telegram-desktop
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Logs:

[53462.040590] audit: type=1400 audit(1575937468.114:499): apparmor="DENIED" operation="open" profile="snap-update-ns.telegram-desktop" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=28346 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[53462.290562] audit: type=1400 audit(1575937468.364:500): apparmor="DENIED" operation="open" profile="snap.telegram-desktop.telegram-desktop" name="/var/lib/snapd/desktop/icons/" pid=28330 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[53462.356964] audit: type=1400 audit(1575937468.431:501): apparmor="DENIED" operation="open" profile="snap.telegram-desktop.telegram-desktop" name="/run/user/1000/.Xauthority" pid=28330 comm="Telegram" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[53462.358366] audit: type=1326 audit(1575937468.431:502): auid=1000 uid=1000 gid=1000 ses=2 subj==snap.telegram-desktop.telegram-desktop (enforce) pid=28534 comm="Telegram" exe="/snap/telegram-desktop/994/bin/Telegram" sig=0 arch=c000003e syscall=101 compat=0 ip=0x206c859 code=0x50000
[53462.371183] audit: type=1701 audit(1575937468.444:503): auid=1000 uid=1000 gid=1000 ses=2 subj==snap.telegram-desktop.telegram-desktop (enforce) pid=28330 comm="Telegram" exe="/snap/telegram-desktop/994/bin/Telegram" sig=6 res=1

Other thoughts:

I used a snap before this called telega - it’s an el package for emacs and I authenticated with telegram servers and used it for an hour or so but then decided I wanted the desktop electron client instead.
I’ve raised a bug with telegram-desktop on their github issues but more or less the same info as here.
Somebody on jupiter broadcasting telegram installed manjaro, kde and snapd with telegram-desktop but didn’t get this issue

mborzecki · December 10, 2019, 7:48am

As far as I know, /run/user/<uid>/.Xauthority was migrated from /tmp/*/.Xauthority for the given user by snap run. On my system with GDM, it’s at /run/user/<uid>/gdm/.Xauthority, but if you use some other display manager (xdm, sddm), the file may indeed be in /tmp, in which case it would get migrated.

Looking at the builtin interfaces, the x11 interface lists:

# Allow access to the user specific copy of the xauth file specified
# in the XAUTHORITY environment variable, that "snap run" creates on
# startup.
owner /run/user/[0-9]*/.Xauthority r,

However, telegram-desktop snap does not use x11(?) and works correctly here:

$ snap connections telegram-desktop
Interface              Plug                              Slot                            Notes
content[gtk-3-themes]  telegram-desktop:gtk-3-themes     gtk-common-themes:gtk-3-themes  -
content[icon-themes]   telegram-desktop:icon-themes      gtk-common-themes:icon-themes   -
content[sound-themes]  telegram-desktop:sound-themes     gtk-common-themes:sound-themes  -
desktop                telegram-desktop:desktop          :desktop                        -
desktop-legacy         telegram-desktop:desktop-legacy   :desktop-legacy                 -
gsettings              telegram-desktop:gsettings        :gsettings                      -
home                   telegram-desktop:home             :home                           -
network                telegram-desktop:network          :network                        -
network-bind           telegram-desktop:network-bind     :network-bind                   -
network-manager        telegram-desktop:network-manager  -                               -
pulseaudio             telegram-desktop:pulseaudio       :pulseaudio                     -
removable-media        telegram-desktop:removable-media  -                               -
unity7                 telegram-desktop:unity7           :unity7                         -

Looks like the unity7 interface pulls in abstractions/X that allows accessing /run/user/<uid>/gdm/.Xauthority among others.

I see 2 ways of fixing this. First one is to have telegram-desktop use the x11 interface. Second, is perhaps extend the unity7 interface to allow access to migrated Xauthority file (cc @jdstrand). It already pulls in abstractions/X so migrated Xauthority being omitted feels like a bug.

jdstrand · December 10, 2019, 12:07pm

The unity7 interface is historical and new policy is typically not added to it to encourage developers to move into the new style desktop interfaces. This is explained in some detail here: The desktop interfaces. The best course of action if for telegram-desktop to add x11, and I commented as such in the upstream bug.

While there is an argument that unity7 could be updated, please keep in mind the unity7 interface was designed to work with the unity 7 desktop environment and the known systems with unity 7 as the DE used an abstract socket for X instead of a named socket in /tmp. This bug is for KDE plasma on manjaro, not unity7 so a) it doesn’t surprise me that telegram-desktop not plugging x11 doesn’t work and b) as per the desktop interfaces, the x11, wayland, desktop and desktop-legacy interfaces were specifically added to support other DEs generically.

p0p · December 10, 2019, 12:58pm

tbh - the conv is a bit over my head but thanks for this thread I’m starting to learn from it. t

Just to clarify from me, the bug isn’t confirmed yet by any other users apart from me. somebody spun up manjaro kde in a vm and snap installed telegram worked though they claimed they had to enable apparmor manually which doesn’t sound right to me.

What concerns me more is that there aren’t others reporting this as an issue. I’d image snapd on manjaro + KDE is a pretty common combo and telegram-desktop a popular application. That’s not to say it’s not an issue though, the telegram-desktop team have circa 1,180 issues to wade through which I consider quite high.

It could just be my set up but from the investigation and reinstalling I’ve done I can’t see how. Maybe apparmor could have got confused? as mentioned it’s working with --devmode.

From what I can tell (I’m not a telegram-desktop dev) telegram-desktop is written with qt5 as is KDE plasma so they’ve that in common. KDE plasma is using SDDM and X11 (at least for me). I’m not sure if that helps at all. I did try adding in a line to the apparmor profile for telegram-desktop and restarted apparmor but it made no difference…

So maybe the issue could be to do with apparmor. Does installing snapd install apparmor as a dependency and if so do you think removing apparmor completely and reinstalling it worth a try or something similar? Or would I be going up the wrong route with that…

jdstrand · December 10, 2019, 2:12pm

Most desktop snaps plugs the x11 interface to support more than the unity7 desktop. telegram-desktop does not but should.

p0p · December 10, 2019, 11:50pm

It would be good if they sort this out so I’m glad we’ve brought it to their attention.

For now though I’ve found telega snap and I’m loving the telegram in emacs :)

andamod · January 17, 2020, 4:56pm

I run Manjaro KDE and I am getting the same errors as you are. I do have Chromium working with no problems. I ran Kubuntu before switching to Manjaro and it worked on Kubuntu fine.