=== pikapika is now known as WilhelmII [08:50] PR snapd#12577 closed: o/snapstate: create pre-dl task even if one is in DoneStatus [10:05] PR snapd#12606 opened: tests: add test for snap-update-ns freezing processes [15:36] PR pc-gadget#81 closed: Remove ubuntu-boot and replace with a simpler mbr [17:42] PR snapd#12607 opened: configcore: allow to run core configuration on classic via env [21:18] PR snapd#12588 closed: tests: fix prepare task for arch linux [22:11] Hello, I'm wondering if anyone would be able to help me with some AppArmor issues. Specifically, I have a Ruby on Rails project that uses a gem called Grover, which is essentially just a wrapper for the Puppeteer NodeJS package. Puppeteer launches chromium. Since I am running Ubuntu Focal on arm64, there are no precompiled binaries it can [22:11] download, so I am using a system-installed chromium instead. Both Ruby and Chromium are installed via snap. NodeJS was installed using apt-get. [22:11] Here are the AppArmor audit logs that appear when Grover launches a node process that launches Chromium: [22:11] ``` [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.205399] audit: type=1400 audit(1677621672.947:331): apparmor="DENIED" operation="file_inherit" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5319 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.205408] audit: type=1400 audit(1677621672.947:332): apparmor="DENIED" operation="file_inherit" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5319 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.207757] audit: type=1400 audit(1677621672.947:333): apparmor="DENIED" operation="signal" profile="/snap/snapd/18363/usr/lib/snapd/snap-confine" pid=5311 comm="node" requested_mask="receive" denied_mask="receive" signal=exists peer="snap.ruby.bundle" [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.211194] audit: type=1400 audit(1677621672.951:334): apparmor="DENIED" operation="file_inherit" profile="snap-update-ns.chromium" name="/apparmor/.null" pid=5337 comm="5" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.211201] audit: type=1400 audit(1677621672.951:335): apparmor="DENIED" operation="file_inherit" profile="snap-update-ns.chromium" name="/apparmor/.null" pid=5337 comm="5" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.215682] audit: type=1400 audit(1677621672.955:336): apparmor="DENIED" operation="file_inherit" profile="snap.chromium.chromium" name="/apparmor/.null" pid=5319 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 [22:11] Feb 28 22:01:12 ip-10-0-20-196 kernel: [76184.215688] audit: type=1400 audit(1677621672.955:337): apparmor="DENIED" operation="file_inherit" profile="snap.chromium.chromium" name="/apparmor/.null" pid=5319 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 [22:11] Feb 28 22:01:13 ip-10-0-20-196 kernel: [76184.401079] audit: type=1400 audit(1677621673.139:338): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [22:11] Feb 28 22:01:13 ip-10-0-20-196 kernel: [76184.401131] audit: type=1400 audit(1677621673.139:339): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [22:11] Feb 28 22:01:13 ip-10-0-20-196 kernel: [76184.405952] audit: type=1400 audit(1677621673.147:340): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/etc/vulkan/implicit_layer.d/" pid=5399 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [22:11] ``` [22:12] I tried to add the AppArmor rules via these instructions, but they don't seem to be taking effect: https://snapcraft.io/docs/debug-snaps#heading--apparmor [22:15] For example, in /var/lib/snapd/apparmor/profiles/snap.chromium.chromium I added these lines: [22:15] ``` [22:15] # ... [22:15] } [22:15] ``` [22:16] and in /var/lib/snapd/apparmor/profiles/snap.ruby.bundle I added these lines: [22:16] ``` [22:16] # ... [22:16] signal (send, receive) peer=node, [22:16] } [22:16] ``` [22:16] Then, I executed the `sudo apparmor_parser -r` command to both of these paths. But the errors persist. Any help would be immensely appreciated; I've been stuck on this issue for two days.