воскресенье

[Bug 2141298] Re: AppArmor blocks write(2) to network sockets with Linux 6.19

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2141716
It is related I think.

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2141298

Title:
AppArmor blocks write(2) to network sockets with Linux 6.19

Status in snapd:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in chromium-browser package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed

Bug description:
Ubuntu 26.04 (pre-release) with snapd 2.74 has a regression where
AppArmor blocks network receive operations for Electron-based snaps
with strict confinement, causing all HTTPS connections to fail.

All Electron-based snaps with strict confinement are completely broken
- unable to connect to any HTTPS endpoints.

AFFECTED APPLICATIONS:
- element (tested, confirmed broken)
- prospect-mail (tested, confirmed broken)
- teams-for-linux (tested, confirmed broken)
- Potentially: VS Code, Slack, Discord, and all other Electron snaps
- sbuild+unshare (LP: #2141364)

SYMPTOMS:
1. SSL handshake fails: net_error -10 (ERR_CERT_AUTHORITY_INVALID)
2. App error: "Failed to load URL: https://... with error: ERR_ACCESS_DENIED"
3. Blank page displayed instead of web content

ROOT CAUSE:
AppArmor could be denying network receive operations on IPv6 HTTPS (port 443):

apparmor="DENIED" operation="file_perm" class="net"
profile="snap.teams-for-linux.teams-for-linux"
faddr=2603:1063:27:1::14 fport=443 family="inet6"
sock_type="stream" protocol=6
requested="receive" denied="receive"

SYSTEM INFO:
- Ubuntu: 26.04 (pre-release)
- snapd: 2.74+ubuntu26.04
- Kernel: 6.19.0-3-generic
- snap version output: 2.74

REGRESSION:
- Broken: Ubuntu 26.04 with today update and restart.

STEPS TO REPRODUCE:
1. Install Ubuntu 26.04 (pre-release)
2. Install teams-for-linux snap: snap install teams-for-linux
3. Launch: teams-for-linux
4. Observe SSL errors and AppArmor denials: journalctl -b | grep apparmor | grep DENIED

EXPECTED: Electron snaps can establish HTTPS connections
ACTUAL: AppArmor blocks network receive, all HTTPS connections fail

WORKAROUND:
Use classic confinement (defeats security purpose)

FULL APPARMOR LOG for teams-for-linux:
Feb 09 12:20:52 kernel: audit: type=1400 audit(1770636052.778:4101):
apparmor="DENIED" operation="file_perm" class="net"
profile="snap.teams-for-linux.teams-for-linux" pid=133551
comm="Chrome_ChildIOT" laddr=2a02:8109:a09e:2d00:a71a:d52c:a574:cd43
lport=53180 faddr=2a00:1450:4008:806::200e fport=443 family="inet6"
sock_type="stream" protocol=6 requested="receive" denied="receive"

Log for prospect-mail:

$ prospect-mail

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.087: Theme parsing
error: gtk.css:1413:23: 'font-feature-settings' is not a valid
property name

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.091: Theme parsing
error: gtk.css:3286:25: 'font-feature-settings' is not a valid
property name

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.092: Theme parsing error: gtk.css:3748:23: 'font-feature-settings' is not a valid property name
Loaded settings {
  mainMailServiceUrl: 'https://outlook.office.com/mail',
  deeplinkUrls: [
    'outlook.live.com/mail/deeplink',
    'outlook.office365.com/mail/deeplink',
    'outlook.office.com/mail/deeplink',
    'outlook.office.com/calendar/deeplink',
    'to-do.office.com/tasks'
  ],
  mailServicesUrls: [ 'outlook.live.com', 'outlook.office365.com', 'outlook.office.com' ],
  safelinksUrls: [
    'outlook.office.com/mail/safelink.html',
    'safelinks.protection.outlook.com'
  ]
}
libGL error: MESA-LOADER: failed to open iris (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: iris
libGL error: MESA-LOADER: failed to open swrast (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: swrast
[150913:0209/123744.785246:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150913:0209/123744.785366:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.785399:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150913:0209/123744.786076:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150913:0209/123744.786133:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.786156:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGLES failed with error EGL_NOT_INITIALIZED
[150913:0209/123744.786176:ERROR:ui/gl/gl_display.cc:674] Initialization of all EGL display types failed.
[150913:0209/123744.786200:ERROR:ui/ozone/common/gl_ozone_egl.cc:26] GLDisplayEGL::Initialize failed.
[150913:0209/123744.788284:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150913:0209/123744.788352:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.788392:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150913:0209/123744.789184:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150913:0209/123744.789231:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150913:0209/123744.789258:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGLES failed with error EGL_NOT_INITIALIZED
[150913:0209/123744.789284:ERROR:ui/gl/gl_display.cc:674] Initialization of all EGL display types failed.
[150913:0209/123744.789309:ERROR:ui/ozone/common/gl_ozone_egl.cc:26] GLDisplayEGL::Initialize failed.
[150913:0209/123744.829927:ERROR:components/viz/service/main/viz_main_impl.cc:189] Exiting GPU process due to errors during initialization
Custom User Agent: Mozilla/5.0 X11; Linux x86_64 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.993: Theme parsing
error: gtk-dark.css:1413:23: 'font-feature-settings' is not a valid
property name

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.995: Theme parsing
error: gtk-dark.css:3286:25: 'font-feature-settings' is not a valid
property name

(prospect-mail:150690): Gtk-WARNING **: 12:37:44.996: Theme parsing error: gtk-dark.css:3748:23: 'font-feature-settings' is not a valid property name
libGL error: MESA-LOADER: failed to open iris (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: iris
libGL error: MESA-LOADER: failed to open swrast (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
libGL error: failed to load driver: swrast
[150950:0209/123745.102046:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150950:0209/123745.102146:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.102186:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150950:0209/123745.102800:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150950:0209/123745.102830:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.102854:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGLES failed with error EGL_NOT_INITIALIZED
[150950:0209/123745.102878:ERROR:ui/gl/gl_display.cc:674] Initialization of all EGL display types failed.
[150950:0209/123745.102904:ERROR:ui/ozone/common/gl_ozone_egl.cc:26] GLDisplayEGL::Initialize failed.
[150950:0209/123745.105119:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150950:0209/123745.105188:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.105210:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[150950:0209/123745.105798:ERROR:ui/gl/angle_platform_impl.cc:42] Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
ERR: Display.cpp:1093 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[150950:0209/123745.105826:ERROR:ui/gl/egl_util.cc:92] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[150950:0209/123745.105847:ERROR:ui/gl/gl_display.cc:639] eglInitialize OpenGLES failed with error EGL_NOT_INITIALIZED
[150950:0209/123745.105867:ERROR:ui/gl/gl_display.cc:674] Initialization of all EGL display types failed.
[150950:0209/123745.105886:ERROR:ui/ozone/common/gl_ozone_egl.cc:26] GLDisplayEGL::Initialize failed.
[150950:0209/123745.106596:ERROR:components/viz/service/main/viz_main_impl.cc:189] Exiting GPU process due to errors during initialization
MESA-LOADER: failed to open iris (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: iris
MESA-LOADER: failed to open kms_swrast (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: kms_swrast
MESA-LOADER: failed to open swrast (search paths /snap/prospect-mail/75/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load swrast driver
[150920:0209/123745.290838:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[150920:0209/123745.299953:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
(node:150690) electron: Failed to load URL: https://outlook.office.com/mail with error: ERR_ACCESS_DENIED
(Use `prospect-mail --trace-warnings ...` to show where the warning was created)
Prepare 'main.css' to be injected.
Prepare 'unread-number-observer.js' to be injected.
(node:150690) [DEP0180] DeprecationWarning: fs.Stats constructor is deprecated.

Log for teams-for-linux:

$ teams-for-linux
No config file found (user or system-wide), using default values
all good with screenSharingThumbnail you aren't using them
all good with screenLockInhibitionMethod you aren't using them
all good with ssoInTuneEnabled you aren't using them
all good with ssoInTuneAuthUser you aren't using them
Initialising logger with config: {"transports":{"console":{"level":"info"},"file":{"level":false}}}
12:39:48.904 › configPath: /home/alarconj/snap/teams-for-linux/1155/.config/teams-for-linux
12:39:48.906 › Running under Wayland, disabling GPU composition (default behavior)...
12:39:48.906 › Enabling PipeWire for screen sharing...
12:39:48.906 › Disabling GPU support...
dbus-send: /snap/teams-for-linux/1155/lib/x86_64-linux-gnu/libdbus-1.so.3: version `LIBDBUS_PRIVATE_1.12.20' not found (required by dbus-send)
12:39:48.932 › [CustomNotificationManager] Initialized and listening on "notification-show-toast" channel

(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.956: Theme parsing
error: gtk.css:1413:23: 'font-feature-settings' is not a valid
property name

(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.959: Theme parsing
error: gtk.css:3286:25: 'font-feature-settings' is not a valid
property name

(teams-for-linux:152814): Gtk-WARNING **: 12:39:48.959: Theme parsing error: gtk.css:3748:23: 'font-feature-settings' is not a valid property name
[152814:0209/123949.008056:ERROR:dbus/object_proxy.cc:573] Failed to call method: org.freedesktop.Secret.Service.ReadAlias: object_path= /org/freedesktop/secrets: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.1388" (uid=1000 pid=152814 comm="/snap/teams-for-linux/1155/teams-for-linux --ozone" label="snap.teams-for-linux.teams-for-linux (enforce)") interface="org.freedesktop.Secret.Service" member="ReadAlias" error name="(unset)" requested_reply="0" destination="org.freedesktop.secrets" (uid=1000 pid=3716 comm="/usr/bin/gnome-keyring-daemon --foreground --compo" label="unconfined")
MESA-LOADER: failed to open iris (search paths /snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: iris
MESA-LOADER: failed to open kms_swrast (search paths /snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load driver: kms_swrast
MESA-LOADER: failed to open swrast (search paths /snap/teams-for-linux/1155/gnome-platform/usr/lib/x86_64-linux-gnu/dri)
failed to load swrast driver
12:39:49.059 › 🔒 IPC Security: Channel allowlisting enabled
12:39:49.059 › 🔒 IPC Security: 50 channels allowlisted

(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.082: Theme parsing
error: gtk-dark.css:1413:23: 'font-feature-settings' is not a valid
property name

(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.084: Theme parsing
error: gtk-dark.css:3286:25: 'font-feature-settings' is not a valid
property name

(teams-for-linux:152814): Gtk-WARNING **: 12:39:49.085: Theme parsing error: gtk-dark.css:3748:23: 'font-feature-settings' is not a valid property name
[152915:0209/123949.124882:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152814:0209/123949.161887:ERROR:dbus/object_proxy.cc:573] Failed to call method: org.freedesktop.login1.Manager.Inhibit: object_path= /org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.599" (uid=1000 pid=152814 comm="/snap/teams-for-linux/1155/teams-for-linux --ozone" label="snap.teams-for-linux.teams-for-linux (enforce)") interface="org.freedesktop.login1.Manager" member="Inhibit" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1528 comm="/usr/lib/systemd/systemd-logind" label="unconfined")
[152915:0209/123949.206210:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123949.732665:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123950.248492:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123950.768544:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123951.289729:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123951.833859:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123952.348596:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123952.868749:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123953.397271:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123953.997766:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
[152915:0209/123954.550755:ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -10
12:39:54.584 › assignOnDidFailLoadEventHandler : {} - -10 - ERR_ACCESS_DENIED
12:39:54.584 › (node:152814) electron: Failed to load URL: https://teams.cloud.microsoft/ with error: ERR_ACCESS_DENIED
(Use `teams-for-linux --trace-warnings ...` to show where the warning was created)
12:39:54.660 › (node:152814) UnhandledPromiseRejectionWarning: Error: Script failed to execute, this normally means an error was thrown. Check the renderer console for the error.
    at node:electron/js2c/renderer_init:2:19969
    at IpcRendererInternal.<anonymous> (node:electron/js2c/renderer_init:2:14304)
    at IpcRendererInternal.emit (node:events:519:28)
    at Object.onMessage (node:electron/js2c/renderer_init:2:13382)
12:39:54.661 › (node:152814) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)

RELATED snapd 2.74 CHANGE:
"snap-confine: update AppArmor profile to allow read/write to journal as workaround for snap-confine fd inheritance prevented by newer AppArmor"

This suggests AppArmor policies were updated but network receive was
inadvertently blocked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2141298/+subscriptions
[SOLVED]: eRROR FIRST SEEN:

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)