Public bug reported:
After the chromium snap auto updated:
$ snap changes chromium
ID Status Spawn Ready Summary
310 Done yesterday at 14:34 CET yesterday at 14:36 CET Auto-refresh snap
"chromium"
I get a lot of apparmor denial error messages on /var/log/kernel.log:
Jan 13 14:36:11 falcon kernel: [15453.080547] audit: type=1400
audit(1578922571.568:111): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="snap.chromium.chromium" pid=22548
comm="apparmor_parser"
Jan 13 14:36:24 falcon kernel: [15465.911905] audit: type=1400
audit(1578922584.400:116): apparmor="DENIED" operation="mknod"
profile="snap.chromium.chromium"
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E52365548686F
pid=8163 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Jan 13 14:36:44 falcon kernel: [15485.517324] audit: type=1400
audit(1578922604.009:117): apparmor="DENIED" operation="open"
profile="snap.chromium.chromium"
name=2F686F6D652F6B6C656265722F736E61702F6368726F6D69756D2F3937312F2E636F6E6669672F6368726F6D69756D2F50726F66696C6520312F436F6F6B6965732D6A6F75726E616C
pid=8163 comm="ThreadPoolForeg" requested_mask="wc" denied_mask="wc"
fsuid=1000 ouid=1000
And the list goes on and on. Less than 24h later there is about 18801
apparmor denial error messages on the log.
This is probably obvious and expected, but just some additional info
about the running processes:
$ ps aux | grep chromium | tail -n1
kleber 23283 0.0 0.6 1479568 104872 ? Sl 10:10 0:06
/snap/chromium/971/usr/lib/chromium-browser/chrome --type=renderer
--disable-webrtc-apm-in-audio-service --force-color-profile=srgb
--field-trial-handle=8276679174007623735,3874660843479004072,131072
--lang=en-US --disable-oor-cors --enable-auto-reload --num-raster-threads=2
--enable-main-frame-before-activation
--service-request-channel-token=16818215954149295646 --renderer-client-id=443
--no-v8-untrusted-code-mitigations
--shared-files=v8_context_snapshot_data:100,v8_natives_data:101
Chromium is still running revision 971, but the 'current' version is set
to the newest version:
$ ls -la /snap/chromium/
total 8
drwxr-xr-x 4 root root 4096 Jan 13 14:36 .
drwxr-xr-x 20 root root 4096 Nov 20 14:01 ..
drwxr-xr-x 11 root root 257 Dec 11 00:29 971
drwxr-xr-x 11 root root 257 Jan 9 00:59 986
lrwxrwxrwx 1 root root 3 Jan 13 14:36 current -> 986
I have filtered my kernel.log with only the chromium related messages after the
update and tried to get some more info about the denials:
$ grep -Po "comm=\".*?\"" /tmp/snap_log | sort | uniq
comm="Chrome_HistoryT"
comm="Chrome_SyncThre"
comm="ThreadPoolForeg"
comm="ThreadPoolSingl"
comm="apparmor_parser"
$ grep -Po "operation=\".*?\"" /tmp/snap_log | sort | uniq
operation="dbus_method_call"
operation="mkdir"
operation="mknod"
operation="open"
operation="profile_replace"
operation="rename_src"
operation="truncate"
operation="unlink"
The practical outcome of these errors is that some of the icons on the
bookmark bar gets replaced by a default icon and my browser history and
open tabs don't get updated, so the history is empty and when I exit the
browser it gets restored with the history and open tabs as they were
before the update.
System info:
$ snap version
snap 2.42.5
snapd 2.42.5
series 16
ubuntu 19.10
kernel 5.4.0-8-generic
** Affects: chromium-browser (Ubuntu)
Importance: Undecided
Status: New
** Tags: snap
** Tags added: snap
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1859609
Title:
[snap] lots of apparmor denials after snap update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1859609/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
