UDisks2 interface doesn't allow to use DBus.Properties interface

renat2017 · June 6, 2017, 3:24pm

Hi!

We need to query UDisks2 node properties but AppArmor denies those requests.

We’re trying to get 'org.freedesktop.UDisks2.Filesystem.MountPoints' property and getting following error message:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.235" (uid=0 pid=6064 comm="python3 -m screenly.client.netconfig -c /var/snap/") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply="0" destination=":1.4" (uid=0 pid=1254 comm="/snap/udisks2/90/libexec/udisks2/udisksd ")

I can see that interface usage is allowed from the apparmor file

dbus (receive, send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.DBus.Properties
    peer=(label="snap.udisks2.udisksd"),

I tried this on edge.

pi@localhost:/var/lib/snapd/apparmor/profiles$ snap version
snap    2.26.4+git222.3172786~ubuntu16.04.1
snapd   2.26.4+git222.3172786~ubuntu16.04.1
series  16
kernel  4.4.0-1051-raspi2

Update:

Mounting works fine itself, so I can see devices in the mount command output.

morphis · June 6, 2017, 4:07pm

Are you using the udisks2 interface with your snap? Is the AppArmor snippet from the file for your snap application?

renat2017 · June 7, 2017, 7:48am

@morphis, yes, I use that interface and app-armor snippet is from that interface. As I mentioned - mounting by using DBus works just fine, but getting mount point list fails with the error.

Also, I can confirm that it’s connected udisks2:service screenly-client:udisks2,udisks2:client.

Here is the whole udisks2 snippet.

koza · June 7, 2017, 8:41am

@renat2017 will look into this one

morphis · June 7, 2017, 9:41am

Thanks @koza for helping!

renat2017 · June 7, 2017, 10:48am

Tried to enable introspection (which is allowed according to the apparmor file), and now getting one more error message:

ERROR:dbus.proxies:Introspect error on :1.4:/org/freedesktop/UDisks2/block_devices/mmcblk0p1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", 
    sender=":1.2701" (uid=0 pid=6071 comm="python3 -m screenly.client.netconfig -c /var/snap/")
    interface="org.freedesktop.DBus.Introspectable"
    member="Introspect"
    error name="(unset)" 
    requested_reply="0"
    destination=":1.4" (uid=0 pid=1585 comm="/snap/udisks2/94/libexec/udisks2/udisksd ")

koza · June 8, 2017, 12:00pm

@renat2017 could you share the snap.udisks2.udisksd from /var/lib/snapd/apparmor/profiles. Thanks

renat2017 · June 8, 2017, 12:46pm

@koza, sure. https://paste.ubuntu.com/24807678/

renat2017 · June 8, 2017, 12:48pm

Yes, I can see now, even if my snap can send DBus messages to udiskd - udiskd is not allowed to receive anything but a restricted set of properties.

koza · June 8, 2017, 1:00pm

thanks, looking at it

koza · June 8, 2017, 1:22pm

shouldn’t it be screenly-client.netconfig instead?

renat2017 · June 8, 2017, 2:07pm

No. That’s a module path and it’s not related to the udev labeling.

Notice that the rule below works just fine.

# Allow access to the Udisks2 API
dbus (receive, send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.UDisks2.*
    peer=(label="snap.screenly-client.netconfig"),

I guess - something wrong is with another rule

dbus (send)
    bus=system
    path=/org/freedesktop/UDisks2/**
    interface=org.freedesktop.DBus.Properties
    member=PropertiesChanged  # <==== Maybe here? I don't know what does it mean, unforutnately
    peer=(label="snap.screenly-client.netconfig"),

koza · June 8, 2017, 3:47pm

Ok, got it. Looking further

morphis · June 12, 2017, 5:48am

@renat2017 Which snapd version are you using? The generated rule has changed with https://github.com/snapcore/snapd/pull/3195 which is part of 2.25. Can you please check that you’re using the right snapd version?

renat2017 · June 12, 2017, 8:47am

@morphis, thank you for your response.

As I mentioned in the first post - I used snapd 2.26.4+git222.3172786~ubuntu16.04.1. I use edge channel so maybe snap refresh core will do the trick?

I will try to do so and I will try to downgrade if it won’t fix the issue.

Thanks.

morphis · June 12, 2017, 8:59am

Can you try to disconnect and connect the plug/slot again? Could be that the AppArmor profile wasn’t refreshed after snapd was updated.

renat2017 · June 12, 2017, 11:20am

@morphis, the issue stays the same:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; 
type="method_call", 
sender=":1.2077" (uid=0 pid=29776 comm="python3 -m screenly.client.netconfig -c /var/snap/")
interface="org.freedesktop.DBus.Properties"
member="Get"
error
name="(unset)"
requested_reply="0"
destination=":1.506" (uid=0 pid=8669 comm="/snap/udisks2/107/libexec/udisks2/udisksd ")

Snap version after the update is: snapd 2.26.4+git234.5f77219~ubuntu16.04.1, so it was updated from 222 to 234.

renat2017 · June 12, 2017, 11:28am

Another update. Installing the client snap in devmode didn’t help. I will try to install the udisks2 in a devmode and look if it will help.

renat2017 · June 12, 2017, 11:52am

@morphis.

So, if I install the client snap in devmode, the issue doesn’t disappear and I am still getting errors related to the “Properties” interface. If I install udisks2 in devmode - errors related to the Properties interface disappear and only errors related to the “Introspectable” interface persist. If I install both client and udisks2 in devmode - all dbus errors disappear.

morphis · June 12, 2017, 11:56am

Can you paste the full AppArmor profile for your application and udisksd somehwere?