/srv/irclogs.ubuntu.com/2023/02/28/#snappy.txt

=== pikapika is now known as WilhelmII
mupPR snapd#12577 closed: o/snapstate: create pre-dl task even if one is in DoneStatus <Simple 😃> <Created by MiguelPires> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12577>08:50
mupPR snapd#12606 opened: tests: add test for snap-update-ns freezing processes <Created by valentindavid> <https://github.com/snapcore/snapd/pull/12606>10:05
mupPR pc-gadget#81 closed: Remove ubuntu-boot and replace with a simpler mbr <Created by valentindavid> <Merged by alfonsosanchezbeato> <https://github.com/snapcore/pc-gadget/pull/81>15:36
mupPR snapd#12607 opened: configcore: allow to run core configuration on classic via env <Needs Documentation -auto-> <Created by mvo5> <https://github.com/snapcore/snapd/pull/12607>17:42
mupPR snapd#12588 closed: tests: fix prepare task for arch linux <Simple 😃> <Test Robustness> <Flaky Test> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12588>21:18
micchickenburgerHello, I'm wondering if anyone would be able to help me with some AppArmor issues.  Specifically, I have a Ruby on Rails project that uses a gem called Grover, which is essentially just a wrapper for the Puppeteer NodeJS package.  Puppeteer launches chromium.  Since I am running Ubuntu Focal on arm64, there are no precompiled binaries it can22:11
micchickenburgerdownload, so I am using a system-installed chromium instead.  Both Ruby and Chromium are installed via snap.  NodeJS was installed using apt-get.22:11
micchickenburgerHere are the AppArmor audit logs that appear when Grover launches a node process that launches Chromium:22:11
micchickenburger```22:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.205399] audit: type=1400 audit(1677621672.947:331): apparmor="DENIED" operation="file_inherit" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5319 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none22:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.205408] audit: type=1400 audit(1677621672.947:332): apparmor="DENIED" operation="file_inherit" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5319 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none22:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.207757] audit: type=1400 audit(1677621672.947:333): apparmor="DENIED" operation="signal" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5311 comm="node" requested_mask="receive" denied_mask="receive" signal=exists peer="snap.ruby.bundle"22:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.211194] audit: type=1400 audit(1677621672.951:334): apparmor="DENIED" operation="file_inherit" profile="snap-update-ns.chromium" name="/apparmor/.null" pid=5337 comm="5" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=022:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.211201] audit: type=1400 audit(1677621672.951:335): apparmor="DENIED" operation="file_inherit" profile="snap-update-ns.chromium" name="/apparmor/.null" pid=5337 comm="5" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=022:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.215682] audit: type=1400 audit(1677621672.955:336): apparmor="DENIED" operation="file_inherit" profile="snap.chromium.chromium" name="/apparmor/.null" pid=5319 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=022:11
micchickenburgerFeb 28 22:01:12 ip-10-0-20-196 kernel: [76184.215688] audit: type=1400 audit(1677621672.955:337): apparmor="DENIED" operation="file_inherit" profile="snap.chromium.chromium" name="/apparmor/.null" pid=5319 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=022:11
micchickenburgerFeb 28 22:01:13 ip-10-0-20-196 kernel: [76184.401079] audit: type=1400 audit(1677621673.139:338): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=022:11
micchickenburgerFeb 28 22:01:13 ip-10-0-20-196 kernel: [76184.401131] audit: type=1400 audit(1677621673.139:339): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=022:11
micchickenburgerFeb 28 22:01:13 ip-10-0-20-196 kernel: [76184.405952] audit: type=1400 audit(1677621673.147:340): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=022:11
micchickenburger```22:11
micchickenburgerI tried to add the AppArmor rules via these instructions, but they don't seem to be taking effect:  https://snapcraft.io/docs/debug-snaps#heading--apparmor22:12
micchickenburgerFor example, in /var/lib/snapd/apparmor/profiles/snap.chromium.chromium I added these lines:22:15
micchickenburger```22:15
micchickenburger# ...22:15
micchickenburger}22:15
micchickenburger```22:15
micchickenburgerand in /var/lib/snapd/apparmor/profiles/snap.ruby.bundle I added these lines:22:16
micchickenburger```22:16
micchickenburger# ...22:16
micchickenburgersignal (send, receive) peer=node,22:16
micchickenburger}22:16
micchickenburger```22:16
micchickenburgerThen, I executed the `sudo apparmor_parser -r` command to both of these paths.  But the errors persist.  Any help would be immensely appreciated; I've been stuck on this issue for two days.22:16

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!