Xdg-user-dirs and dconf AppArmor denials

Hi all,

I recently noticed that some snaps of desktop applications are generating AppArmor denials for xdg-user-dirs and dconf, even though the gsettings interface is included in the snapcraft.yaml. Can anyone shed any light on this, perhaps @kenvandine?

Oct  6 15:54:19 skull kernel: [366973.628165] audit: type=1400 audit(1507301659.701:3994): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/etc/xdg/user-dirs.conf" pid=14388 comm="xdg-user-dirs-u" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct  6 15:54:19 skull kernel: [366973.668856] audit: type=1400 audit(1507301659.741:3995): apparmor="DENIED" operation="file_mmap" profile="snap.wire.wire" name="/home/martin/.config/dconf/user" pid=14375 comm="wire-desktop" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

yeah, I’ve been noticing this, too, but figured I was going mad :-p

This should be added to the desktop and unity7 interface. The other denial is due to Various AppArmor denials for Wire snap

Are you saying to add the desktop or unity7 plug to the snaps we’re mentioning, or was this a cryptic allusion that snapd should magically acquire functionality?

I’m sorry if it was cryptic, I tried to be clear. We need to add read access to that file in the desktop and unity7 interfaces. I have taken this as a TODO.


gotcha, thanks for clarifying :slight_smile:

https://github.com/snapcore/snapd/pull/4097 has a fix for the user-dirs files. I’ve requested this for 2.29.

1 Like