Xdg-user-dirs and dconf AppArmor denials

Wimpress · October 6, 2017, 2:59pm

Hi all,

I recently noticed that some snaps of desktop applications are generating AppArmor denials for xdg-user-dirs and dconf, even though the gsettings interface is included in the snapcraft.yaml. Can anyone shed any light on this, perhaps @kenvandine?

Oct  6 15:54:19 skull kernel: [366973.628165] audit: type=1400 audit(1507301659.701:3994): apparmor="DENIED" operation="open" profile="snap.wire.wire" name="/etc/xdg/user-dirs.conf" pid=14388 comm="xdg-user-dirs-u" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct  6 15:54:19 skull kernel: [366973.668856] audit: type=1400 audit(1507301659.741:3995): apparmor="DENIED" operation="file_mmap" profile="snap.wire.wire" name="/home/martin/.config/dconf/user" pid=14375 comm="wire-desktop" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000

lucyllewy · October 6, 2017, 3:27pm

yeah, I’ve been noticing this, too, but figured I was going mad :-p

jdstrand · October 6, 2017, 4:54pm

This should be added to the desktop and unity7 interface. The other denial is due to Various AppArmor denials for Wire snap - #2 by niemeyer

lucyllewy · October 6, 2017, 5:31pm

Are you saying to add the desktop or unity7 plug to the snaps we’re mentioning, or was this a cryptic allusion that snapd should magically acquire functionality?

jdstrand · October 6, 2017, 5:45pm

I’m sorry if it was cryptic, I tried to be clear. We need to add read access to that file in the desktop and unity7 interfaces. I have taken this as a TODO.

lucyllewy · October 6, 2017, 5:46pm

gotcha, thanks for clarifying

jdstrand · October 27, 2017, 6:31pm

https://github.com/snapcore/snapd/pull/4097 has a fix for the user-dirs files. I’ve requested this for 2.29.