** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Ubuntu 26.04 (pre-release) with snapd 2.74 has a regression where
AppArmor blocks network receive operations for Electron-based snaps with
strict confinement, causing all HTTPS connections to fail.
All Electron-based snaps with strict confinement are completely broken -
unable to connect to any HTTPS endpoints.
AFFECTED APPLICATIONS:
+ - element (tested, confirmed broken)
- prospect-mail (tested, confirmed broken)
- teams-for-linux (tested, confirmed broken)
- Potentially: VS Code, Slack, Discord, and all other Electron snaps
+ - sbuild+unshare (LP: #2141364)
SYMPTOMS:
1. SSL handshake fails: net_error -10 (ERR_CERT_AUTHORITY_INVALID)
2. App error: "Failed to load URL: https://... with error: ERR_ACCESS_DENIED"
3. Blank page displayed instead of web content
ROOT CAUSE:
AppArmor could be denying network receive operations on IPv6 HTTPS (port 443):
- apparmor="DENIED" operation="file_perm" class="net"
- profile="snap.teams-for-linux.teams-for-linux"
- faddr=2603:1063:27:1::14 fport=443 family="inet6"
- sock_type="stream" protocol=6
+ apparmor="DENIED" operation="file_perm" class="net"
+ profile="snap.teams-for-linux.teams-for-linux"
+ faddr=2603:1063:27:1::14 fport=443 family="inet6"
+ sock_type="stream" protocol=6
requested="receive" denied="receive"
SYSTEM INFO:
- Ubuntu: 26.04 (pre-release)
- snapd: 2.74+ubuntu26.04
- Kernel: 6.19.0-3-generic
- snap version output: 2.74
REGRESSION:
- Broken: Ubuntu 26.04 with today update and restart.
STEPS TO REPRODUCE:
1. Install Ubuntu 26.04 (pre-release)
2. Install teams-for-linux snap: snap install teams-for-linux
3. Launch: teams-for-linux
4. Observe SSL errors and AppArmor denials: journalctl -b | grep apparmor |
grep DENIED
EXPECTED: Electron snaps can establish HTTPS connections
ACTUAL: AppArmor blocks network receive, all HTTPS connections fail
WORKAROUND:
Use classic confinement (defeats security purpose)
FULL APPARMOR LOG for teams-for-linux:
- Feb 09 12:20:52 kernel: audit: type=1400 audit(1770636052.778:4101):
- apparmor="DENIED" operation="file_perm" class="net"
- profile="snap.teams-for-linux.teams-for-linux" pid=133551
- comm="Chrome_ChildIOT" laddr=2a02:8109:a09e:2d00:a71a:d52c:a574:cd43
- lport=53180 faddr=2a00:1450:4008:806::200e fport=443 family="inet6"
+ Feb 09 12:20:52 kernel: audit: type=1400 audit(1770636052.778:4101):
+ apparmor="DENIED" operation="file_perm" class="net"
+ profile="snap.teams-for-linux.teams-for-linux" pid=133551
+ comm="Chrome_ChildIOT" laddr=2a02:8109:a09e:2d00:a71a:d52c:a574:cd43
+ lport=53180 faddr=2a00:1450:4008:806::200e fport=443 family="inet6"
sock_type="stream" protocol=6 requested="receive" denied="receive"
-
Log for prospect-mail:
$ prospect-mail
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.087: Theme parsing
error: gtk.css:1413:23: 'font-feature-settings' is not a valid property
name
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.091: Theme parsing
error: gtk.css:3286:25: 'font-feature-settings' is not a valid property
name
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.092: Theme parsing error:
gtk.css:3748:23: 'font-feature-settings' is not a valid property name
Loaded settings {
- mainMailServiceUrl: 'https://outlook.office.com/mail',
- deeplinkUrls: [
- 'outlook.live.com/mail/deeplink',
- 'outlook.office365.com/mail/deeplink',
- 'outlook.office.com/mail/deeplink',
- 'outlook.office.com/calendar/deeplink',
- 'to-do.office.com/tasks'
- ],
- mailServicesUrls: [ 'outlook.live.com', 'outlook.office365.com',
'outlook.office.com' ],
- safelinksUrls: [
- 'outlook.office.com/mail/safelink.html',
- 'safelinks.protection.outlook.com'
- ]
+ mainMailServiceUrl: 'https://outlook.office.com/mail',
+ deeplinkUrls: [
+ 'outlook.live.com/mail/deeplink',
+ 'outlook.office365.com/mail/deeplink',
+ 'outlook.office.com/mail/deeplink',
+ 'outlook.office.com/calendar/deeplink',
+ 'to-do.office.com/tasks'
+ ],
+ mailServicesUrls: [ 'outlook.live.com', 'outlook.office365.com',
'outlook.office.com' ],
+ safelinksUrls: [
+ 'outlook.office.com/mail/safelink.html',
+ 'safelinks.protection.outlook.com'
+ ]
}
libGL error: MESA-LOADER: failed to open iris (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: iris
libGL error: MESA-LOADER: failed to open swrast (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: swrast
[150913:0209/123744.785246:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150913:0209/123744.785366:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.785399:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150913:0209/123744.786076:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150913:0209/123744.786133:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.786156:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGLES failed with error EGL_NOT_INITIALIZED
[150913:0209/123744.786176:ERROR:ui/gl/gl_display.cc:674] Initialization of
all EGL display types failed.
[150913:0209/123744.786200:ERROR:ui/ozone/common/gl_ozone_egl.cc:26]
GLDisplayEGL::Initialize failed.
[150913:0209/123744.788284:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150913:0209/123744.788352:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.788392:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150913:0209/123744.789184:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150913:0209/123744.789231:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.789258:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGLES failed with error EGL_NOT_INITIALIZED
[150913:0209/123744.789284:ERROR:ui/gl/gl_display.cc:674] Initialization of
all EGL display types failed.
[150913:0209/123744.789309:ERROR:ui/ozone/common/gl_ozone_egl.cc:26]
GLDisplayEGL::Initialize failed.
[150913:0209/123744.829927:ERROR:components/viz/service/main/viz_main_impl.cc:189]
Exiting GPU process due to errors during initialization
Custom User Agent: Mozilla/5.0 X11; Linux x86_64 AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.993: Theme parsing
error: gtk-dark.css:1413:23: 'font-feature-settings' is not a valid
property name
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.995: Theme parsing
error: gtk-dark.css:3286:25: 'font-feature-settings' is not a valid
property name
(prospect-mail:150690): Gtk-WARNING **: 12:37:44.996: Theme parsing error:
gtk-dark.css:3748:23: 'font-feature-settings' is not a valid property name
libGL error: MESA-LOADER: failed to open iris (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: iris
libGL error: MESA-LOADER: failed to open swrast (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: swrast
[150950:0209/123745.102046:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150950:0209/123745.102146:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.102186:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150950:0209/123745.102800:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150950:0209/123745.102830:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.102854:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGLES failed with error EGL_NOT_INITIALIZED
[150950:0209/123745.102878:ERROR:ui/gl/gl_display.cc:674] Initialization of
all EGL display types failed.
[150950:0209/123745.102904:ERROR:ui/ozone/common/gl_ozone_egl.cc:26]
GLDisplayEGL::Initialize failed.
[150950:0209/123745.105119:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150950:0209/123745.105188:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.105210:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150950:0209/123745.105798:ERROR:ui/gl/angle_platform_impl.cc:42]
Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not
create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289:
Could not create a backing OpenGL context.
[150950:0209/123745.105826:ERROR:ui/gl/egl_util.cc:92] EGL Driver message
(Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.105847:ERROR:ui/gl/gl_display.cc:639] eglInitialize
OpenGLES failed with error EGL_NOT_INITIALIZED
[150950:0209/123745.105867:ERROR:ui/gl/gl_display.cc:674] Initialization of
all EGL display types failed.
[150950:0209/123745.105886:ERROR:ui/ozone/common/gl_ozone_egl.cc:26]
GLDisplayEGL::Initialize failed.
[150950:0209/123745.106596:ERROR:components/viz/service/main/viz_main_impl.cc:189]
Exiting GPU process due to errors during initialization
MESA-LOADER: failed to open iris (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: iris
MESA-LOADER: failed to open kms_swrast (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: kms_swrast
MESA-LOADER: failed to open swrast (search paths
/snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load swrast driver
[150920:0209/123745.290838:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[150920:0209/123745.299953:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
(node:150690) electron: Failed to load URL: https://outlook.office.com/mail
with error: ERR_ACCESS_DENIED
(Use `prospect-mail --trace-warnings ...` to show where the warning was
created)
Prepare 'main.css' to be injected.
Prepare 'unread-number-observer.js' to be injected.
(node:150690) [DEP0180] DeprecationWarning: fs.Stats constructor is
deprecated.
Log for teams-for-linux:
- $ teams-for-linux
+ $ teams-for-linux
No config file found (user or system-wide), using default values
all good with screenSharingThumbnail you aren't using them
all good with screenLockInhibitionMethod you aren't using them
all good with ssoInTuneEnabled you aren't using them
all good with ssoInTuneAuthUser you aren't using them
Initialising logger with config:
{"transports":{"console":{"level":"info"},"file":{"level":false}}}
12:39:48.904 › configPath:
/home/alarconj/snap/teams-for-linux/1155/.config/teams-for-linux
12:39:48.906 › Running under Wayland, disabling GPU composition (default
behavior)...
12:39:48.906 › Enabling PipeWire for screen sharing...
12:39:48.906 › Disabling GPU support...
dbus-send: /snap/teams-for-linux/1155/lib/x86_64-linux-gnu/libdbus-1.so.3:
version `LIBDBUS_PRIVATE_1.12.20' not found (required by dbus-send)
12:39:48.932 › [CustomNotificationManager] Initialized and listening on
"notification-show-toast" channel
(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.956: Theme parsing
error: gtk.css:1413:23: 'font-feature-settings' is not a valid property
name
(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.959: Theme parsing
error: gtk.css:3286:25: 'font-feature-settings' is not a valid property
name
(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.959: Theme parsing error:
gtk.css:3748:23: 'font-feature-settings' is not a valid property name
[152814:0209/123949.008056:ERROR:dbus/object_proxy.cc:573] Failed to call
method: org.freedesktop.Secret.Service.ReadAlias: object_path=
/org/freedesktop/secrets: org.freedesktop.DBus.Error.AccessDenied: An AppArmor
policy prevents this sender from sending this message to this recipient;
type="method_call", sender=":1.1388" (uid=1000 pid=152814
comm="/snap/teams-for-linux/1155/teams-for-linux --ozone"
label="snap.teams-for-linux.teams-for-linux (enforce)")
interface="org.freedesktop.Secret.Service" member="ReadAlias" error
name="(unset)" requested_reply="0" destination="org.freedesktop.secrets"
(uid=1000 pid=3716 comm="/usr/bin/gnome-keyring-daemon --foreground --compo"
label="unconfined")
MESA-LOADER: failed to open iris (search paths
/snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: iris
MESA-LOADER: failed to open kms_swrast (search paths
/snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: kms_swrast
MESA-LOADER: failed to open swrast (search paths
/snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load swrast driver
12:39:49.059 › 🔒 IPC Security: Channel allowlisting enabled
12:39:49.059 › 🔒 IPC Security: 50 channels allowlisted
(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.082: Theme parsing
error: gtk-dark.css:1413:23: 'font-feature-settings' is not a valid
property name
(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.084: Theme parsing
error: gtk-dark.css:3286:25: 'font-feature-settings' is not a valid
property name
(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.085: Theme parsing error:
gtk-dark.css:3748:23: 'font-feature-settings' is not a valid property name
[152915:0209/123949.124882:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152814:0209/123949.161887:ERROR:dbus/object_proxy.cc:573] Failed to call
method: org.freedesktop.login1.Manager.Inhibit: object_path=
/org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor
policy prevents this sender from sending this message to this recipient;
type="method_call", sender=":1.599" (uid=1000 pid=152814
comm="/snap/teams-for-linux/1155/teams-for-linux --ozone"
label="snap.teams-for-linux.teams-for-linux (enforce)")
interface="org.freedesktop.login1.Manager" member="Inhibit" error
name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0
pid=1528 comm="/usr/lib/systemd/systemd-logind" label="unconfined")
[152915:0209/123949.206210:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123949.732665:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123950.248492:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123950.768544:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123951.289729:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123951.833859:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123952.348596:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123952.868749:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123953.397271:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123953.997766:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123954.550755:ERROR:net/socket/ssl_client_socket_impl.cc:916]
handshake failed; returned -1, SSL error code 1, net_error -10
12:39:54.584 › assignOnDidFailLoadEventHandler : {} - -10 - ERR_ACCESS_DENIED
12:39:54.584 › (node:152814) electron: Failed to load URL:
https://teams.cloud.microsoft/ with error: ERR_ACCESS_DENIED
(Use `teams-for-linux --trace-warnings ...` to show where the warning was
created)
12:39:54.660 › (node:152814) UnhandledPromiseRejectionWarning: Error: Script
failed to execute, this normally means an error was thrown. Check the renderer
console for the error.
- at node:electron/js2c/renderer_init:2:19969
- at IpcRendererInternal.<anonymous>
(node:electron/js2c/renderer_init:2:14304)
- at IpcRendererInternal.emit (node:events:519:28)
- at Object.onMessage (node:electron/js2c/renderer_init:2:13382)
+ at node:electron/js2c/renderer_init:2:19969
+ at IpcRendererInternal.<anonymous>
(node:electron/js2c/renderer_init:2:14304)
+ at IpcRendererInternal.emit (node:events:519:28)
+ at Object.onMessage (node:electron/js2c/renderer_init:2:13382)
12:39:54.661 › (node:152814) UnhandledPromiseRejectionWarning: Unhandled
promise rejection. This error originated either by throwing inside of an async
function without a catch block, or by rejecting a promise which was not handled
with .catch(). To terminate the node process on unhandled promise rejection,
use the CLI flag `--unhandled-rejections=strict` (see
https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id:
1)
-
RELATED snapd 2.74 CHANGE:
"snap-confine: update AppArmor profile to allow read/write to journal as
workaround for snap-confine fd inheritance prevented by newer AppArmor"
This suggests AppArmor policies were updated but network receive was
inadvertently blocked.
** Changed in: linux (Ubuntu)
Importance: High => Critical
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141298
Title:
AppArmor blocks network sockets with Linux 6.19
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2141298/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
