UDisks2 interface doesn't allow to use DBus.Properties interface

Hi!

We need to query UDisks2 node properties but AppArmor denies those requests.

We’re trying to get 'org.freedesktop.UDisks2.Filesystem.MountPoints' property and getting following error message:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.235" (uid=0 pid=6064 comm="python3 -m screenly.client.netconfig -c /var/snap/") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply="0" destination=":1.4" (uid=0 pid=1254 comm="/snap/udisks2/90/libexec/udisks2/udisksd ")

I can see that interface usage is allowed from the apparmor file

dbus (receive, send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.DBus.Properties
    peer=(label="snap.udisks2.udisksd"),

I tried this on edge.

pi@localhost:/var/lib/snapd/apparmor/profiles$ snap version
snap    2.26.4+git222.3172786~ubuntu16.04.1
snapd   2.26.4+git222.3172786~ubuntu16.04.1
series  16
kernel  4.4.0-1051-raspi2

Update:

Mounting works fine itself, so I can see devices in the mount command output.

Are you using the udisks2 interface with your snap? Is the AppArmor snippet from the file for your snap application?

@morphis, yes, I use that interface and app-armor snippet is from that interface. As I mentioned - mounting by using DBus works just fine, but getting mount point list fails with the error.

Also, I can confirm that it’s connected udisks2:service screenly-client:udisks2,udisks2:client.

Here is the whole udisks2 snippet.

@renat2017 will look into this one

1 Like

Thanks @koza for helping!

Tried to enable introspection (which is allowed according to the apparmor file), and now getting one more error message:

ERROR:dbus.proxies:Introspect error on :1.4:/org/freedesktop/UDisks2/block_devices/mmcblk0p1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", 
    sender=":1.2701" (uid=0 pid=6071 comm="python3 -m screenly.client.netconfig -c /var/snap/")
    interface="org.freedesktop.DBus.Introspectable"
    member="Introspect"
    error name="(unset)" 
    requested_reply="0"
    destination=":1.4" (uid=0 pid=1585 comm="/snap/udisks2/94/libexec/udisks2/udisksd ")

@renat2017 could you share the snap.udisks2.udisksd from /var/lib/snapd/apparmor/profiles. Thanks

@koza, sure. https://paste.ubuntu.com/24807678/

Yes, I can see now, even if my snap can send DBus messages to udiskd - udiskd is not allowed to receive anything but a restricted set of properties.

thanks, looking at it

shouldn’t it be screenly-client.netconfig instead?

No. That’s a module path and it’s not related to the udev labeling.

Notice that the rule below works just fine.

# Allow access to the Udisks2 API
dbus (receive, send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.UDisks2.*
    peer=(label="snap.screenly-client.netconfig"),

I guess - something wrong is with another rule

dbus (send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.DBus.Properties
    member=PropertiesChanged  # <==== Maybe here? I don't know what does it mean, unforutnately
    peer=(label="snap.screenly-client.netconfig"),

Ok, got it. Looking further

1 Like

@renat2017 Which snapd version are you using? The generated rule has changed with https://github.com/snapcore/snapd/pull/3195 which is part of 2.25. Can you please check that you’re using the right snapd version?

@morphis, thank you for your response.

As I mentioned in the first post - I used snapd 2.26.4+git222.3172786~ubuntu16.04.1. I use edge channel so maybe snap refresh core will do the trick?

I will try to do so and I will try to downgrade if it won’t fix the issue.

Thanks.

Can you try to disconnect and connect the plug/slot again? Could be that the AppArmor profile wasn’t refreshed after snapd was updated.

@morphis, the issue stays the same:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; 
type="method_call", 
sender=":1.2077" (uid=0 pid=29776 comm="python3 -m screenly.client.netconfig -c /var/snap/")
interface="org.freedesktop.DBus.Properties"
member="Get"
error
name="(unset)"
requested_reply="0"
destination=":1.506" (uid=0 pid=8669 comm="/snap/udisks2/107/libexec/udisks2/udisksd ")

Snap version after the update is: snapd 2.26.4+git234.5f77219~ubuntu16.04.1, so it was updated from 222 to 234.

Another update. Installing the client snap in devmode didn’t help. I will try to install the udisks2 in a devmode and look if it will help.

@morphis.

So, if I install the client snap in devmode, the issue doesn’t disappear and I am still getting errors related to the “Properties” interface. If I install udisks2 in devmode - errors related to the Properties interface disappear and only errors related to the “Introspectable” interface persist. If I install both client and udisks2 in devmode - all dbus errors disappear.

Can you paste the full AppArmor profile for your application and udisksd somehwere?