Problem is observed on all snapped browsers installed. Web browsers of several vendors/brands are installed. Browser installed from classic package is not affected.
System runs in virtual machine. Host shares with guest one folder. Sharing is powered by VirtualBox Guest Addtitions. User desires all file downloads conducted in running browser snap to be stored to that h-g shared folder. This doesn’t work as in end-effect download fails e.g. with message “Failed” in following use-case: follow link to PDF, PDF opens in browser’s built-in pdf reader, then do Save. Yet another scenario: right-click on a link to pdf file, then do Save Link As…, then select desired destination in Save to window >>>> error message “The file could not be saved because you don’t have proper permissions. Choose another save directory”.
If user tries to modify permissions of this or that snap app she does it using Snap Store app.
On another hand user can copy files from home to desired location using shell without any problems. One can also see in top utility all processes raised by running browser snap app run under user account equal the user who started browser snap app and is using it to make downloads from web.
[theuser@mach ~]$ ls -alh /media/
total 12K
drwxr-xr-x 3 root root 4.0K Feb 13 20:21 .
drwxr-xr-x 18 root root 4.0K Feb 3 13:02 ..
drwxrwx--- 1 root vboxsf 510 Feb 12 01:05 hgshare
[theuser@mach ~]$
[theuser@mach ~]$ ls -alh /media/hgshare/
total 12K
drwxrwx--- 1 root vboxsf 510 Feb 12 01:05 .
drwxr-xr-x 3 root root 4.0K Feb 13 20:21 ..
drwxrwx--- 1 root vboxsf 238 Feb 13 20:20 'allourdownloads'
[theuser@mach ~]$
/media/hgshare/ is mount point (guest side) of host-gest shared folder.
/media/hgshare/allourdownloads is the location where user desires to save downloads, see description above.
Below journalctl snappy debug output. Log content might vary browser snap app by browser snap app. Nevertheless all tested show same final problem - except from classic package browser.
Firefox snap stars
kernel.printk_ratelimit = 0 = Seccomp = Time: Feb 13 21:34:36 Log: auid=1000 uid=1000 gid=1000 ses=2 subj=snap.firefox.firefox (enforce) pid=4957 comm=“firefox” exe="/snap/firefox/2311/usr/lib/firefox/firefox" sig=0 arch=c000003e 314(sched_setattr) compat=0 ip=0x7f2a2f4fb73d code=0x50000 Syscall: sched_setattr Suggestion:
- add ‘process-control’ to ‘plugs’
User opens URL in browser snap app then she follows link to pdf document, document opens in new tab (pdf reader), finally he clicks on Save tab opened newly
= AppArmor = Time: Feb 13 21:38:32 Log: apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/etc/fstab" pid=4957 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0 File: /etc/fstab (read) Suggestions:
- adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
- adjust snap to use snap layouts (Snap layouts)
- add ‘mount-observe’ to ‘plugs’
= AppArmor = Time: Feb 13 21:38:32 Log: apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/run/mount/utab" pid=4957 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0 File: /run/mount/utab (read) Suggestions:
- adjust program to use $SNAP_DATA
- adjust program to use /run/shm/snap.$SNAP_NAME.*
- adjust program to use /run/snap.$SNAP_NAME.*
- adjust snap to use snap layouts (Snap layouts)
- add ‘mount-observe’ to ‘plugs’
User navigates in Save to window to desired download destination, finally user clicks onto Save button
= AppArmor = Time: Feb 13 21:43:17 Log: apparmor=“DENIED” operation=“mkdir” profile=“snap.firefox.firefox” name="/media/hgshare/" pid=4957 comm=4261636B67726F7E506F6F6C202333 requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000 File: /media/hgshare/ (write) Suggestion:
- adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
top output filtered to COMMAND=firefox:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND5829 theuser 20 0 3549048 371316 191688 S 0.0 4.7 0:07.23 firefox
How to fix it?
UPDATE
\[theuser\@mach ~\]$ snap connections firefox
Interface Plug Slot Notes
audio-playback firefox:audio-playback :audio-playback -
audio-record firefox:audio-record - -
avahi-observe firefox:avahi-observe - -
browser-support firefox:browser-sandbox :browser-support -
camera firefox:camera - -
content[gnome-3-38-2004] firefox:gnome-3-38-2004 gnome-3-38-2004:gnome-3-38-2004 -
content[gtk-3-themes] firefox:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] firefox:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] firefox:sound-themes gtk-common-themes:sound-themes -
cups-control firefox:cups-control :cups-control -
dbus - firefox:dbus-daemon -
desktop firefox:desktop :desktop -
desktop-legacy firefox:desktop-legacy :desktop-legacy -
gsettings firefox:gsettings :gsettings -
hardware-observe firefox:hardware-observe - -
home firefox:home :home -
joystick firefox:joystick - -
mount-control firefox:host-hunspell - -
mpris - firefox:mpris -
network firefox:network :network -
network-bind firefox:network-bind - -
network-observe firefox:network-observe - -
opengl firefox:opengl :opengl -
personal-files firefox:dot-mozilla-firefox :personal-files -
removable-media firefox:removable-media :removable-media -
screen-inhibit-control firefox:screen-inhibit-control - -
system-files firefox:etc-firefox - -
system-packages-doc firefox:system-packages-doc - -
u2f-devices firefox:u2f-devices - -
unity7 firefox:unity7 :unity7 -
upower-observe firefox:upower-observe - -
wayland firefox:wayland :wayland -
x11 firefox:x11 :x11 -
[theuser@mach ~]$
snap connections | grep removable
removable-media brave:removable-media :removable-media -
removable-media chromium:removable-media :removable-media -
removable-media firefox:removable-media :removable-media -
removable-media freecad:removable-media :removable-media manual
removable-media gnuplot-editor-unofficial:removable-media :removable-media manual
removable-media opera:removable-media :removable-media -
UPDATE II
journalctl output filtered
S y s t e m b o o t
Feb 14 09:11:24 mach systemd[1]: Mounting Mount unit for firefox, revision 2277...
Feb 14 09:11:24 mach systemd[1]: Mounting Mount unit for firefox, revision 2311...
Feb 14 09:11:25 mach systemd[1]: Mounted Mount unit for firefox, revision 2277.
Feb 14 09:11:25 mach systemd[1]: Mounted Mount unit for firefox, revision 2311.
Feb 14 09:11:26 mach audit[748]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.firefox" pid=748 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[785]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.firefox" pid=785 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[786]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.geckodriver" pid=786 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[787]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.hook.configure" pid=787 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[788]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.hook.connect-plug-host-hunspell" pid=788 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[789]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.hook.disconnect-plug-host-hunspell" pid=789 comm="apparmor_parser"
Feb 14 09:11:26 mach audit[790]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox.hook.post-refresh" pid=790 comm="apparmor_parser"
Feb 14 10:21:30 mach snapd[814]: storehelpers.go:769: cannot refresh: snap has no updates available: "bare", "brave", "chromium-ffmpeg", "core", "core18", "core20", "cups", "firefox", "gnome-3-28-1804", "gnome-3-38-2004", "gtk-common-themes", "gtk2-common-themes", "hunspell-dictionaries-1-7-2004", "kde-frameworks-5-91-qt-5-15-3-core20", "kde-frameworks-5-96-qt-5-15-5-core20", "opera", "snap-store", "snapd", "snappy-debug"
S t a r t o f F i r e f o x s n a p
Feb 14 10:39:05 mach systemd[1238]: Started snap.firefox.firefox.80a8adad-5f2d-4d87-8464-460ae5c191cf.scope.
Feb 14 10:39:06 mach audit[2460]: SECCOMP auid=1000 uid=1000 gid=1000 ses=2 subj=snap.firefox.firefox (enforce) pid=2460 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7fc66bfe473d code=0x50000
Feb 14 10:39:06 mach kernel: audit: type=1326 audit(1676367546.989:392): auid=1000 uid=1000 gid=1000 ses=2 subj=snap.firefox.firefox (enforce) pid=2460 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7fc66bfe473d code=0x50000
D o w n l o a d a f i l e
Feb 14 10:48:24 mach audit[2460]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:48:24 mach audit[2460]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc669aabd0e a2=80000 a3=0 items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:48:24 mach kernel: audit: type=1400 audit(1676368104.668:393): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:48:24 mach kernel: audit: type=1300 audit(1676368104.668:393): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc669aabd0e a2=80000 a3=0 items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:48:24 mach audit[2460]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:48:24 mach audit[2460]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc669aabd82 a2=80000 a3=0 items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:48:24 mach kernel: audit: type=1400 audit(1676368104.671:394): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:48:24 mach kernel: audit: type=1300 audit(1676368104.671:394): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc669aabd82 a2=80000 a3=0 items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:48:24 mach dbus-daemon[812]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.71' (uid=1000 pid=2460 comm="/snap/firefox/2311/usr/lib/firefox/firefox")
Feb 14 10:48:24 mach audit[2460]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:48:24 mach audit[2460]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc669aabd82 a2=80000 a3=0 items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="firefox" exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:48:24 mach kernel: audit: type=1400 audit(1676368104.838:398): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=2460 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 14 10:49:23 mach audit[2460]: AVC apparmor="DENIED" operation="mkdir" profile="snap.firefox.firefox" name="/media/hgshare/" pid=2460 comm=4261636B67726F7E506F6F6C202333 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Feb 14 10:49:23 mach audit[2460]: SYSCALL arch=c000003e syscall=83 success=no exit=-13 a0=7fc6152ac6c8 a1=1ed a2=0 a3=ffffffff items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4261636B67726F7E506F6F6C202333 exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:49:23 mach audit: PROCTITLE proctitle="/snap/firefox/2311/usr/lib/firefox/firefox"
Feb 14 10:49:23 mach kernel: audit: type=1400 audit(1676368163.184:404): apparmor="DENIED" operation="mkdir" profile="snap.firefox.firefox" name="/media/hgshare/" pid=2460 comm=4261636B67726F7E506F6F6C202333 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Feb 14 10:49:23 mach kernel: audit: type=1300 audit(1676368163.184:404): arch=c000003e syscall=83 success=no exit=-13 a0=7fc6152ac6c8 a1=1ed a2=0 a3=ffffffff items=0 ppid=1422 pid=2460 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4261636B67726F7E506F6F6C202333 exe="/snap/firefox/2311/usr/lib/firefox/firefox" subj=snap.firefox.firefox (enforce) key=(null)
Feb 14 10:49:23 mach kernel: audit: type=1327 audit(1676368163.184:404): proctitle="/snap/firefox/2311/usr/lib/firefox/firefox"