Public bug reported: I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync .shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' I see the following in avahi_observe.go: dbus (receive) bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping peer=(label=###PLUG_SECURITY_TAGS###), Other rules seem to be of this form: peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###), and as you can see above the denied message has name="org.freedesktop.Avahi". As an experiment I reinstalled my snap in devmode and got the following: type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync .shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' followed by lots of other happy-looking messages, e.g.: type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap .shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi- daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' and my machine appeared in avahi-browse and was visible to my other mDNS devices. Given all this I suspect the rule for Ping above is too restrictive and should be loosened to allow the denied message above. For reference, here's the full devmode trace: https://pastebin.canonical.com/p/PmMNQF3S3g/ [agnew(~)] snap version snap 2.44.3+20.04 snapd 2.44.3+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic [agnew(~)] _ ** Affects: snapd (Ubuntu) Importance: Undecided Status: New ** Description changed: I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse: type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync .shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' I see the following in avahi_observe.go: - dbus (receive) - bus=system - path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(label=###PLUG_SECURITY_TAGS###), + dbus (receive) + bus=system + path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(label=###PLUG_SECURITY_TAGS###), Other rules seem to be of this form: peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###), and as you can see above the denied message has name="org.freedesktop.Avahi". As an experiment I reinstalled my snap in devmode and got the following: type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync .shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' followed by lots of other happy-looking messages, e.g.: type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap .shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi- daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' and my machine appeared in avahi-browse and was visible to my other mDNS devices. Given all this I suspect the rule for Ping above is too restrictive and should be loosened to allow the denied message above. For reference, here's the full devmode trace: https://pastebin.canonical.com/p/PmMNQF3S3g/ + + [agnew(~)] snap version + snap 2.44.3+20.04 + snapd 2.44.3+20.04 + series 16 + ubuntu 20.04 + kernel 5.4.0-21-generic + [agnew(~)] _ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879231 Title: avahi dbus permissions for Ping method need updating To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1879231/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
