discord
discord copied to clipboard
snapcrafters
AppArmor denial cluttering systemd logs
audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" d (I can't see the rest of the line through systemctl and I can't open the file in Text Editor (it's too big) and cat and nano can't seem to read it (is that normal?)) is repeated many times in /var/log/journal/system.journal making it 100MB for just a few days of logging. The /var/log/journal directory is over 4GB.
Yeah, it seems like discord likes to interrogate other applications on the system, probably so it can show to your friends what game you're currently playing. I don't know what we can do about this. I expect there needs to be a tweak to the apparmor policy. I think we may need to get jdstrand involved. Mind starting a forum thread?
See https://forum.snapcraft.io/t/discord-ptrace-apparmor-denials/5099 and https://forum.snapcraft.io/t/auto-connections-for-discord/2392
snap connect discord:system-observe :system-observe
snap connect discord:unity7 :unity7
@popey should that last one be added to the README? Or maybe we could remove them all? I'm not sure Discord needs any of them and seems to only need system-observe and unity7 to end the denials? Perhaps system-observe and unity7 should be listed in the README and nothing listed on the snap store as at current...
Sorry, I know this is closed, but the issue is still there.
I do not consider it fixed by running those commands because of 2 reasons:
- Users should not be required to run a command line instruction manually after install
- Even running those commands (specifically the system-observe one, the other is already there) some logs are still there
[ 9217.259134] audit: type=1400 audit(1550748163.700:6490): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19 capname="sys_ptrace"
[ 9222.258887] audit: type=1400 audit(1550748168.700:6491): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19 capname="sys_ptrace"
[ 9227.261310] audit: type=1400 audit(1550748173.704:6492): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19 capname="sys_ptrace"
[ 9242.263344] audit: type=1400 audit(1550748188.704:6493): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19 capname="sys_ptrace"
[ 9247.264970] audit: type=1400 audit(1550748193.708:6494): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19 capname="sys_ptrace"
this is not acceptable
To remove the need to manually connect system-observe we need upstream Discord devs to comment here (or via @flexiondotorg I suppose? Martin can you please get in touch with them since that is what @jdstrand is requiring to get this fixed?)
As for unity7, Martin didn't request for that to be auto-connected, could he please explain why? EDIT: unity7 is actually auto-connected, it just wasn't on my system, so you don't need that command.
I've asked in the forum what could be causing your denials.
Also, please could you (Daniele) attach the outputs of:
snap info discord
snap version
snap info core
You can use the HTML below to make it look nice!
<details>
<summary> Discord x.y.z yyyy-mm-dd (revision) </summary>
$ snap info discord
$ snap version
$ snap info core
</details>
Discord 0.0.8 2019-02-14 (91)
$ snap info discord
name: discord
summary: All-in-one voice and text chat for gamers
publisher: Snapcrafters
contact: https://github.com/snapcrafters/discord/issues
license: unset
description: |
All-in-one voice and text chat for gamers that's free, secure, and
works on both your desktop and phone.
This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
officially maintained by the upstream developers.
commands:
- discord
snap-id: qHVefGEBezeuCeSfTND40uoUD6GRw8BO
tracking: stable
refresh-date: 9 days ago, at 16:23 CET
channels:
stable: 0.0.8 2019-02-14 (91) 69MB -
candidate: ↑
beta: 0.0.8 2019-02-14 (91) 69MB -
edge: 0.0.8 2019-02-13 (91) 69MB -
installed: 0.0.8 (91) 69MB -
$ snap version
snap 2.37.2
snapd 2.37.2
series 16
ubuntu 18.04
kernel 4.15.0-45-generic
$ snap info core
name: core
summary: snapd runtime environment
publisher: Canonical✓
contact: [email protected]
license: unset
description: |
The core runtime environment for snapd
type: core
snap-id: 99T7MUlRhtI3U0QFgl5mXXESAiSwt776
tracking: stable
refresh-date: 8 days ago, at 09:28 CET
channels:
stable: 16-2.37.2 2019-02-14 (6405) 95MB -
candidate: 16-2.37.2 2019-02-12 (6405) 95MB -
beta: 16-2.37.3 2019-02-19 (6479) 95MB -
edge: 16-2.37.3+git1157.1c9d322 2019-02-23 (6501) 93MB -
installed: 16-2.37.2 (6405) 95MB core
thank you @Ads20000
@danielesegato as @diddledan on the forum suggests, could you please run
sudo snap install snappy-debug
then
snappy-debug.security scanlog
in a Terminal whilst Discord is running? Then provide the output (in <details>), thanks! :)
Also, Daniel reckons that the (manual) solution to your problem is probably
snap connect discord:process-control :process-control
Note that it might not be possible to ever make this automatic because it might be that the snappy team are never convinced that Discord needs these permissions to run. Snaps are confined and should be reasonably safe for you to run, giving Discord automatic access to things like process-control (which it seems to want) may be considered unreasonable by the snappy developers.
@Ads20000 it's not gonna contains much usefulness
sys_ptrace snappy debug
= AppArmor =
Time: Feb 25 16:55:33
Log: apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=7216 comm="Discord" capability=19 capname="sys_ptrace"
Capability: sys_ptrace
Suggestions:
* adjust program to not require 'CAP_SYS_PTRACE' (see 'man 7 capabilities')
* do nothing if program otherwise works properly
I totally agree about being unreasonable. But I still would like to have the log suppressed. (denied silently).
As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that.
By adding to /var/lib/snapd/apparmor/profiles/snap.discord.discord:
deny capability sys_ptrace,
then running
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord
what is it even denying? can/should we allow it instead?
On Mon, Mar 11, 2019, 15:52 Rigo [email protected] wrote:
As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that.
By adding to /var/lib/snapd/apparmor/profiles/snap.discord.discord:
deny capability sys_ptrace,
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/snapcrafters/discord/issues/23#issuecomment-471673592, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ8GW17mcogqGq6q7PIcLb4PLXn7Au01ks5vVqX2gaJpZM4TfuTg .
As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that.
By adding to
/var/lib/snapd/apparmor/profiles/snap.discord.discord:deny capability sys_ptrace,then running
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord
FYI, my comment here: https://forum.snapcraft.io/t/auto-connections-for-discord/2392/21 where we can update our conditional explicit deny policy.
snap connect discord:system-observe :system-observe snap connect discord:unity7 :unity7
doing this and deactivating streamer mode (searching for running apps like obs, ..) and tracking of currently played games fixed the issue on my end.
I agree with @danielesegato
I don't want to provide the access discord wants, but i don't want it cluttering my log files. I would like it to fail silently. The level of log spam is absurd.
See my new analysis of what Discord is doing, and a possible workaround (if the Snap packagers think it is practical) at https://github.com/snapcrafters/discord/issues/43
It's not that hard to check if the syscall failed (EPERM and similar), set a flag, cease and desist further attempts. Indeed not checking return values is considered a bad practice in software development.
https://github.com/snapcore/snapd/pull/7019 (ie https://github.com/snapcore/snapd/commit/a87003c81407692dba692979344ea83cd463bdb7#diff-a34e166c5b3016c122430c5884f41e9b) was included in snapd 2.40. People who are still seeing this, can you perform snap version and verify you are running 2.40 and comment if you are and still seeing this issue?
I am still seeing this. I have manually connected discord:system-observe, discord:process-control, and discord:network-observe to work around the issue.
> snap version
snap 2.41
snapd 2.41
series 16
ubuntu 19.04
kernel 5.0.0-27-generic
I am still seeing this. I have manually connected
discord:system-observe,discord:process-control, anddiscord:network-observeto work around the issue.> snap version snap 2.41 snapd 2.41 series 16 ubuntu 19.04 kernel 5.0.0-27-generic
Can you perform a:
$ grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*
If I do that here, I see:
$ grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*
deny capability sys_ptrace,
Also, can you paste some representative apparmor denials you are still seeing?
Also note, while discord plugs syste-observe, process-control and network-observe, these are not auto-connected by default.
> grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*
deny capability sys_ptrace,
[11016.951627] kauditd_printk_skb: 84 callbacks suppressed
[11016.951629] audit: type=1400 audit(1568315092.037:149127): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951656] audit: type=1400 audit(1568315092.037:149128): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2027/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951670] audit: type=1400 audit(1568315092.037:149129): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2043/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951680] audit: type=1400 audit(1568315092.037:149130): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951698] audit: type=1400 audit(1568315092.037:149131): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951722] audit: type=1400 audit(1568315092.037:149132): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2178/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951731] audit: type=1400 audit(1568315092.037:149133): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951751] audit: type=1400 audit(1568315092.037:149134): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951770] audit: type=1400 audit(1568315092.037:149135): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951790] audit: type=1400 audit(1568315092.037:149136): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951629] audit: type=1400 audit(1568315092.037:149127): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" [11016.951656] audit: type=1400 audit(1568315092.037:149128): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2027/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
@wilx - right, those are different denials that should go away once you 'snap connect discord:system-observe'.
This is still a, frustrating, issue....
What if I don't want Discord to be connected to system-observe?
For me, I went into
vi /var/lib/snapd/apparmor/profiles/snap.discord.discord
And added these two lines at the end before the }
deny /proc/@{pid}/cmdline r,
deny ptrace (read),
And run
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord
I have no idea what the implications of the 2nd deny is, so please use at your own risk.
I really wish they would fix this.... I'm about to cause some trouble if i have to fix it myself.. very annoying
I thought I read somewhere the denials only show up when a certain feature was enabled, but I'm not sure about that (if true, the denial would be gone from the logs if the feature were disabled).
As mentioned, the system-observe interface does allow ptrace read (which does not allow ptracing and controlling other processes). For people trying to decide whether or not to connect the system-observe interface, I suggest reading the security policy at https://github.com/snapcore/snapd/blob/master/interfaces/builtin/system_observe.go#L32. Note, the interface is 'observe' and not 'control' so the accesses, while more than discord should need, are perhaps acceptable for your environment.
The choice today is to disable the feature in discord (assuming that is an option), connect the interface and let discord see, but not modify, some information from other processes or live with the denial (or make local modifications to the profile as mentioned above, but those changes won't persist and could conflict with future rules).
There is an apparmor feature on the horizon that will allow suppressing denials in a manner that snapd could robustly build upon for a feature to allow users a way to suppress noisy denials in some manner, but that feature is not available for snapd to use yet.
According to a user on the snapcraft forums there is a way of disabling rich presence!!
https://forum.snapcraft.io/t/discord-ptrace-apparmor-denials/5099/15?u=ads20000
In discord, you can just disable the system process scan. To do this, go to, user settings, Activity and Games, Show the game i am currently playing. regards.