> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined"
This is provided by the system-observe interface in snapd - currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this. > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" These are provided by the password-manager-service interface in snapd - again currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this as well. Finally, for the last two > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" > member="GetAll" name=":1.45" mask="receive" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" > Log: apparmor="DENIED" operation="dbus_signal" bus="session" > path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" > member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" Yes this is due to the peer_label mismatch - previously plasmashell would run without an AppArmor profile and so was "unconfined" - the most recent apparmor release in Noble contains a new profile for plasmashell in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now the peer_label doesn't match. This likely needs to be fixed on the snapd side (or we figure out a way in apparmor to not ship this profile). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's definitely worth mentioning. An example of one of Thunderbird's fallback notifications is attached as a screenshot (as I happened to get an email while typing this report). To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2056696/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
