AppArmor denial cluttering systemd logs

[Ads20000]

audit[6291]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=6291 comm="Discord" requested_mask="trace" d (I can't see the rest of the line through systemctl and I can't open the file in Text Editor (it's too big) and cat and nano can't seem to read it (is that normal?)) is repeated many times in /var/log/journal/system.journal making it 100MB for just a few days of logging. The /var/log/journal directory is over 4GB.

[popey]

Yeah, it seems like discord likes to interrogate other applications on the system, probably so it can show to your friends what game you're currently playing. I don't know what we can do about this. I expect there needs to be a tweak to the apparmor policy. I think we may need to get jdstrand involved. Mind starting a forum thread?

[Ads20000]

Will do, thanks for the speedy response 😃

[Ads20000]

See https://forum.snapcraft.io/t/discord-ptrace-apparmor-denials/5099 and https://forum.snapcraft.io/t/auto-connections-for-discord/2392

[Ads20000]

This is fixed with

snap connect discord:system-observe :system-observe
snap connect discord:unity7 :unity7

@popey should that last one be added to the README? Or maybe we could remove them all? I'm not sure Discord needs any of them and seems to only need system-observe and unity7 to end the denials? Perhaps system-observe and unity7 should be listed in the README and nothing listed on the snap store as at current...

[danielesegato]

Sorry, I know this is closed, but the issue is still there.

I do not consider it fixed by running those commands because of 2 reasons:

1. Users should not be required to run a command line instruction manually after install
2. Even running those commands (specifically the system-observe one, the other is already there) some logs are still there

[ 9217.259134] audit: type=1400 audit(1550748163.700:6490): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19  capname="sys_ptrace"
[ 9222.258887] audit: type=1400 audit(1550748168.700:6491): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19  capname="sys_ptrace"
[ 9227.261310] audit: type=1400 audit(1550748173.704:6492): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19  capname="sys_ptrace"
[ 9242.263344] audit: type=1400 audit(1550748188.704:6493): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19  capname="sys_ptrace"
[ 9247.264970] audit: type=1400 audit(1550748193.708:6494): apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=5462 comm="Discord" capability=19  capname="sys_ptrace"

this is not acceptable

[Ads20000]

To remove the need to manually connect system-observe we need upstream Discord devs to comment here (or via @flexiondotorg I suppose? Martin can you please get in touch with them since that is what @jdstrand is requiring to get this fixed?)
As for unity7, Martin didn't request for that to be auto-connected, could he please explain why? EDIT: unity7 is actually auto-connected, it just wasn't on my system, so you don't need that command.
I've asked in the forum what could be causing your denials.

Also, please could you (Daniele) attach the outputs of:
snap info discord
snap version
snap info core

You can use the HTML below to make it look nice!

<details>
<summary> Discord x.y.z yyyy-mm-dd (revision) </summary>
$ snap info discord
$ snap version
$ snap info core
</details>

[danielesegato]

Discord 0.0.8 2019-02-14 (91)

 $ snap info discord
name:      discord
summary:   All-in-one voice and text chat for gamers
publisher: Snapcrafters
contact:   https://github.com/snapcrafters/discord/issues
license:   unset
description: |
  All-in-one voice and text chat for gamers that's free, secure, and
  works on both your desktop and phone.
  
  This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
  officially maintained by the upstream developers.
commands:
  - discord
snap-id:      qHVefGEBezeuCeSfTND40uoUD6GRw8BO
tracking:     stable
refresh-date: 9 days ago, at 16:23 CET
channels:
  stable:    0.0.8 2019-02-14 (91) 69MB -
  candidate: ↑                          
  beta:      0.0.8 2019-02-14 (91) 69MB -
  edge:      0.0.8 2019-02-13 (91) 69MB -
installed:   0.0.8            (91) 69MB -

 $ snap version
snap    2.37.2
snapd   2.37.2
series  16
ubuntu  18.04
kernel  4.15.0-45-generic

$ snap info core
name:      core
summary:   snapd runtime environment
publisher: Canonical✓
contact:   snaps@canonical.com
license:   unset
description: |
  The core runtime environment for snapd
type:         core
snap-id:      99T7MUlRhtI3U0QFgl5mXXESAiSwt776
tracking:     stable
refresh-date: 8 days ago, at 09:28 CET
channels:
  stable:    16-2.37.2                 2019-02-14 (6405) 95MB -
  candidate: 16-2.37.2                 2019-02-12 (6405) 95MB -
  beta:      16-2.37.3                 2019-02-19 (6479) 95MB -
  edge:      16-2.37.3+git1157.1c9d322 2019-02-23 (6501) 93MB -
installed:   16-2.37.2                            (6405) 95MB core

thank you @Ads20000

[Ads20000]

@danielesegato as @diddledan on the forum suggests, could you please run

sudo snap install snappy-debug 

then

snappy-debug.security scanlog

in a Terminal whilst Discord is running? Then provide the output (in <details>), thanks! :)
Also, Daniel reckons that the (manual) solution to your problem is probably

snap connect discord:process-control :process-control

Note that it might not be possible to ever make this automatic because it might be that the snappy team are never convinced that Discord needs these permissions to run. Snaps are confined and should be reasonably safe for you to run, giving Discord automatic access to things like process-control (which it seems to want) may be considered unreasonable by the snappy developers.

[danielesegato]

@Ads20000 it's not gonna contains much usefulness

sys_ptrace snappy debug

= AppArmor =
Time: Feb 25 16:55:33
Log: apparmor="DENIED" operation="capable" profile="snap.discord.discord" pid=7216 comm="Discord" capability=19  capname="sys_ptrace"
Capability: sys_ptrace
Suggestions:
* adjust program to not require 'CAP_SYS_PTRACE' (see 'man 7 capabilities')
* do nothing if program otherwise works properly

[danielesegato]

I totally agree about being unreasonable.
But I still would like to have the log suppressed. (denied silently).

[rigred]

As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that.

By adding to /var/lib/snapd/apparmor/profiles/snap.discord.discord:

deny capability sys_ptrace,

then running

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord

[Fuseteam]

what is it even denying? can/should we allow it instead?

…

On Mon, Mar 11, 2019, 15:52 Rigo ***@***.***> wrote: As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that. By adding to /var/lib/snapd/apparmor/profiles/snap.discord.discord: deny capability sys_ptrace, — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#23 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJ8GW17mcogqGq6q7PIcLb4PLXn7Au01ks5vVqX2gaJpZM4TfuTg> .

[jdstrand]

As far as I know, the apparmor logs are somewhat of an issue resulting from the fact that's surprisingly convoluted to deny specific apparmor messages silently in the autogenerated snap apparmor config files. I have a way for doing it manually, but every snap update/tiny change breaks that.

By adding to /var/lib/snapd/apparmor/profiles/snap.discord.discord:

deny capability sys_ptrace,

then running

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord

FYI, my comment here: https://forum.snapcraft.io/t/auto-connections-for-discord/2392/21 where we can update our conditional explicit deny policy.

[themepresse]

This is fixed with

snap connect discord:system-observe :system-observe
snap connect discord:unity7 :unity7

doing this and deactivating streamer mode (searching for running apps like obs, ..) and tracking of currently played games fixed the issue on my end.

[douglasg14b]

I agree with @danielesegato

I don't want to provide the access discord wants, but i don't want it cluttering my log files. I would like it to fail silently. The level of log spam is absurd.

[ThePythonicCow]

See my new analysis of what Discord is doing, and a possible workaround (if the Snap packagers think it is practical) at #43

[mark-kubacki]

It's not that hard to check if the syscall failed (EPERM and similar), set a flag, cease and desist further attempts. Indeed not checking return values is considered a bad practice in software development.

[jdstrand]

canonical/snapd#7019 (ie canonical/snapd@a87003c#diff-a34e166c5b3016c122430c5884f41e9b) was included in snapd 2.40. People who are still seeing this, can you perform snap version and verify you are running 2.40 and comment if you are and still seeing this issue?

[wilx]

I am still seeing this. I have manually connected discord:system-observe, discord:process-control, and discord:network-observe to work around the issue.

> snap version
snap    2.41
snapd   2.41
series  16
ubuntu  19.04
kernel  5.0.0-27-generic

[jdstrand]

I am still seeing this. I have manually connected discord:system-observe, discord:process-control, and discord:network-observe to work around the issue.

> snap version
snap    2.41
snapd   2.41
series  16
ubuntu  19.04
kernel  5.0.0-27-generic

Can you perform a:

$ grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*

If I do that here, I see:

$ grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*
deny capability sys_ptrace,

Also, can you paste some representative apparmor denials you are still seeing?

[jdstrand]

Also note, while discord plugs syste-observe, process-control and network-observe, these are not auto-connected by default.

[wilx]

> grep 'deny capability sys_ptrace' /var/lib/snapd/apparmor/profiles/snap.discord.*
deny capability sys_ptrace,

[11016.951627] kauditd_printk_skb: 84 callbacks suppressed
[11016.951629] audit: type=1400 audit(1568315092.037:149127): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951656] audit: type=1400 audit(1568315092.037:149128): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2027/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951670] audit: type=1400 audit(1568315092.037:149129): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2043/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951680] audit: type=1400 audit(1568315092.037:149130): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951698] audit: type=1400 audit(1568315092.037:149131): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951722] audit: type=1400 audit(1568315092.037:149132): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2178/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11016.951731] audit: type=1400 audit(1568315092.037:149133): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951751] audit: type=1400 audit(1568315092.037:149134): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951770] audit: type=1400 audit(1568315092.037:149135): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951790] audit: type=1400 audit(1568315092.037:149136): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"

[jdstrand]

[11016.951629] audit: type=1400 audit(1568315092.037:149127): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=18216 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
[11016.951656] audit: type=1400 audit(1568315092.037:149128): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2027/cmdline" pid=18216 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

@wilx - right, those are different denials that should go away once you 'snap connect discord:system-observe'.

[douglasg14b]

This is still a, frustrating, issue....

What if I don't want Discord to be connected to system-observe?

[Fuseteam]

@douglasg14b its a "feature" of discord to show off what your doing

[godmar]

A reminder to everyone here, this behavior is not a bug, it's simply logging that snapd protected your system from a very invasive syscall from discord. It's very easy if you want to allow that:

snap connect discord:system-observe :system-observe

This will allow access to the ptrace syscall that discord wants to be able to do.

Are you referring to my post?
Could you share how you concluded that syscall=141 refers to ptrace?

[niyazikemer]

isn't it labeled as bug?

[memory-thrasher]

Strictly speaking, the apparmor profile should explicitly allow or deny every action that the application attempts. Explicitly denied actions are not logged even though they are blocked. So, while I can see the case to be made that this behavior is expected (and indeed it is from the perspective of apparmor), in my opinion, the lack of an explicit deny entry in the apparmor profile is a bug in the profile. These logs exist to tell you that your profile needs fixed. Since snapd generates the profile from the application's manifest, this could be thought of as a bug in either the application manifest failing to ask for that action to be allowed or denied, or in snapd for not providing a manifest syntax to make that feasible. I prefer the latter since this is a very common issue in among snaps.

Ideally, discord should have a user-visible setting to disable whatever feature relies on ptrace, assuming it has a legit reason to do it, but no one puts effort into the linux build of multiplatform apps so that's not going to happen.

[godmar]

isn't it labeled as bug?

Yes, of course it's a bug. If the original Discord application uses the ptrace system call, then the snap must of course allow it (if users don't want this, then let them disable it. Opt-in.)

ptrace is a system call that allows a program to inspect other program run by the same user. For instance, it's used for debugging other programs. Discord might use it to find out what the user is currently running - I've seen some Discord status messages that say: "currently playing minecraft" or similar messages.

Obviously, package providers like snap cannot substitute their own judgement for how an application should work - that's the purview of the user.

[memory-thrasher]

if users don't want this, then let them disable it. Opt-in.

I'd be all for that but snap makes it very hard for users to override the generated profile.

I've seen some Discord status messages that say: "currently playing minecraft" or similar messages.

Just telling which applications are running is possible without ptrace by inspecting /proc/*, which discord also does and is allowed by the default profile.

The thing that gets me is that the feature that says what map someone is playing (in a fps), what queue they are in (in a moba) or what dimension they are in in minecraft - which requires a more in-depth inspection than the procfs can provide - still works on my case in spite of ptrace being denied. I've always wondered how discord manages to do that, and what more it would be using ptrace for if it were allowed. Perhaps it detects ptrace is being denied and uses some other method instead.

[godmar]

You can attach strace. For instance, assuming that - for my warning - 141 actually corresponds to setpriority(2), when I attach strace, I see these calls:

sched_setscheduler(488284, SCHED_RR, [8]) = -1 EPERM (Operation not permitted)
setpriority(PRIO_PROCESS, 488284, -10)  = -1 EPERM (Operation not permitted)

where 488284 is an internal thread previously listed as:

openat(AT_FDCWD, "/proc/487959/task/488284/status", O_RDONLY|O_CLOEXEC) = 98
...
read(98, "Name:\tAudioOutputDevi\nUmask:\t000"..., 4096) = 1558

Presumably, they are trying to assign this thread to the real-time scheduling priority class (SCHED_RR) and then try to increase its priority to -10 (with -20 being the highest). This may be an attempt to achieve smooth audio output.

Unfortunately, the real-time priority classes are reserved for root (typically), so they cannot possibly expect that to work.
I note that the attempt to put the thread into SCHED_RR doesn't trigger a warning, so maybe that's covered by the AppArmor profile. Why then am I seeing a warning about the setpriority call?

[memory-thrasher]

Unfortunately, the real-time priority classes are reserved for root (typically), so they cannot possibly expect that to work.

Root is not the only way to gain access to RT priority. A non-root app can increase it's own priority or the priority of any other app if it has the CAP_SYS_NICE capability, or the (overloaded) CAP_SYS_ADMIN capability. Check your strace to see which of those it is requesting. It is unfortunately common practice for apparmor profiles to hand out sys_admin capability. Chrome and its derivatives use it to create a sandbox (imo that defeats the purpose of a sandbox).

[memory-thrasher]

doing a public service by repackaging it into a snap.

I love your sense of humor.

Dude that's exactly what snapcrafters does. See https://github.com/snapcrafters

We are a group of volunteers who maintain snap packages for third-party software. We publish more than 70 snaps used by 1.5 million weekly active devices across 50+ distributions. Our goal is to be a trusted and reliable source for high-quality snaps.

[mk-pmb]

@memory-thrasher
The joke was about snaps being a public dis-service.

[memory-thrasher]

@memory-thrasher The joke was about snaps being a public dis-service.

Ok fair. I do hate everything about snap and would gladly live without it if discord had another sane deployment option. Manually re-downloading a deb annoyed me just as much.

[mk-pmb]

For a "sane" deployment you need an automated setup mechanism for generating a fresh clean sandbox (probably in qemu) with just minimal config each time you want to start discord. Checking for a new deb and potentially downloading it should be a tiny part in comparison.

[memory-thrasher]

For a "sane" deployment you need an automated setup mechanism for generating a fresh clean sandbox (probably in qemu) with just minimal config each time you want to start discord. Checking for a new deb and potentially downloading it should be a tiny part in comparison.

That doesn't sound sane to me. Discord has too many features that wouldn't work when sandboxed (screen sharing for example). I am talking about the deployment environment discord should provide. It would not include any sandboxing because discord devs trust discord devs. Sandboxing is what a (paranoid) user would add. It would update itself as it does on windows without a third-party sandboxing tool like snap to find and whine about suspicious system calls and we would never know.

That is very different from the insane (paranoid) user setup that I am now considering implementing. There is also a tarball download option for discord. I am looking at putting that into a user-writable directory that is covered by a strict, static, custom-made apparmor profile.

[godmar]

It is unfortunately common practice for apparmor profiles to hand out sys_admin capability.

Explain what you mean by that.

Do you think Discord expects to be packaged in a snap in a way that it has CAP_SYS_NICE or CAP_SYS_ADMIN capabilities when running? That sounds outlandish - but we're in the world of snaps, so I'm prepared for surprises.

Also, how can an apparmor profile hand out elevated privileges? I was under the assumption that this would require setcap on the executable.

[memory-thrasher]

It is unfortunately common practice for apparmor profiles to hand out sys_admin capability.

Explain what you mean by that.

Do you think Discord expects to be packaged in a snap in a way that it has CAP_SYS_NICE or CAP_SYS_ADMIN capabilities when running? That sounds outlandish - but we're in the world of snaps, so I'm prepared for surprises.

Also, how can an apparmor profile hand out elevated privileges? I was under the assumption that this would require setcap on the executable.

System capabilities are separate from and predate apparmor. You're right, apparmor does not hand them out, and the app does have to request them. Apparmor can either deny the request or allow it. What I mean is that it is common for apps to require admin ("require" means the app crashes if the capability is denied), and therefore it is also common for apparmor profiles to explicitly allow the application to acquire that capability. As the apparmor docs say regarding granting capabilities:

Note that granting some capabilities renders AppArmor confinement for that domain advisory; while open(2), read(2), write(2), etc., will still return error when access is not granted, some capabilities allow loading kernel modules, arbitrary access to IPC, ability to bypass discretionary access controls, and other operations that are typically reserved for the root user.

[godmar]

I think this would require to run the app as sudo (or in a container).

This is because below all of snap, AppArmor, containers, etc. you still have the old-fashioned Unix model where you can't just declare that you want to be or partially act like root.

[memory-thrasher]

I think this would require to run the app as sudo (or in a container).

One would think, but no. It only has to have the capability set on the binary (the same way sudo gains root), and that bit is set by the installer (snap or deb).

[memory-thrasher]

ofc, only root can set that bit, but everyone and their dog runs the installers as root because they've been trained to.

[godmar]

getcap /snap/discord/204/usr/share/discordgetcap /snap/discord/204/usr/share/discord/Discord shows empty and it's not setuid, either. So (fortunately) not that outlandish.
I'm glad I'm not running a setuid executable with a 164MB large text segment.

[memory-thrasher]

getcap /snap/discord/204/usr/share/discord shows empty.

well on my box that is a directory so yeah.

[godmar]

Copy and paste mistake. I meant /snap/discord/204/usr/share/discord/Discord

[memory-thrasher]

hmm. sudo is also showing empty on my end. I've never used getcap so I can't speak to what it can and cannot detect. I know from past experience with other snaps (a chrome derivative browser called brave) that the application was requesting and getting cap_sys_admin. I'm using that browser now with the --no-sandbox option because that allows it to run with that capability denied. I don't have time to do a deep dive today but I plan to set up that insane environment I described above and then I'll get back to you with what capabilities discord is requesting and where.

[memory-thrasher]

Do you think Discord expects to be packaged in a snap in a way that it has CAP_SYS_NICE or CAP_SYS_ADMIN capabilities when running?

to answer your question though, yes and no, I think discord expects to be packaged in a way that does not deny those capabilities. Apparmor allows everything when there is no profile for an executable, and lots of apps use those capabilities, even when run without root. If it were run as root, it would not need capabilities to grant subsets of what root can always do. Giving non-root applications specific elevated capabilities is why the whole concept of capabilities exists.

[andoks]

Thanks to some comments in this thread, I got rid of most of the spam that was printed on a regular interval by copying the discord snap profile (/var/lib/snapd/apparmor/profiles/snap.discord.discord) and adding the following all at the end, just before the last curly brace

... content over here
# - https://gitlab.com/apparmor/apparmor/-/issues/72
# - https://serverfault.com/questions/954264/reducing-the-verbosity-of-auditd-my-minimal-rules-catch-stuff-they-should-not
deny /proc/** r,
deny ptrace,
}

Then loading this change using sudo apparmor_parser --replace snap.discord.discord.apparmor-custom

I am running Ubuntu 22.04.4 LTS

EDIT: I just saw that this already has been posted #23 (comment)

[mjpowersjr]

Sorry if this was already posted, but I wanted to share a completely different solution I've been very happy with. I completely removed the Discord application from my system, and proceeded to create a application shortcut to discord from my browser. This created a .desktop shortcut on my desktop. Once I launched the application once, I was able to pin it to the dock in Ubuntu, and delete the desktop shortcut.

I've used both the deb packages and snap packages in the past - but this is by far the best experience I've had. (I'm sure some features are not available with this approach, but so far it's been great for my usage...)

https://superuser.com/questions/33548/starting-google-chrome-in-application-mode

[memory-thrasher]

Thanks to some comments in this thread, I got rid of most of the spam that was printed on a regular interval by copying the discord snap profile (/var/lib/snapd/apparmor/profiles/snap.discord.discord) and adding the following all at the end, just before the last curly brace

... content over here
# - https://gitlab.com/apparmor/apparmor/-/issues/72
# - https://serverfault.com/questions/954264/reducing-the-verbosity-of-auditd-my-minimal-rules-catch-stuff-they-should-not
deny /proc/** r,
deny ptrace,
}

Then loading this change using sudo apparmor_parser --replace snap.discord.discord.apparmor-custom

I am running Ubuntu 22.04.4 LTS

That'll work in the short term but expect troubles with the next update. Snap will regenerate a new profile with those rules still missing, and attempt to load it. Either it'll replace yours or it'll fail to load, depending on how snap attempts it.

[Fuseteam]

Ideally, discord should have a user-visible setting to disable whatever feature relies on ptrace, assuming it has a legit reason to do it, but no one puts effort into the linux build of multiplatform apps so that's not going to happen.

To bring context back, the logs are indeed a sign that action should be taken. That action is the command @kenvandine posted.

A reminder to everyone here, this behavior is not a bug, it's simply logging that snapd protected your system from a very invasive syscall from discord. It's very easy if you want to allow that:

snap connect discord:system-observe :system-observe

This will allow access to the ptrace syscall that discord wants to be able to do.

The solution is technically to have that be autoconnected but half this thread does not want that despite this being a built in function of discord: rich presence. Discord has a ui switch for it, but it's only surface level. This is the conclusion reached years ago.

There has been attenpts to reach out to discord about it, but afaict discord has been despondent.

However if the decision has been made to no longer pursue autoconnection— perhaps the permission should be denied by default, maybe a PR is in order?

[memory-thrasher]

That action is the command @kenvandine posted.

That's a temporary, per-installation measure. Even when pasted into the readme, that is at best a workaround. The default profile (generated from the manifest) should work without log spam, one way or the other.

The solution is technically to have that be autoconnected but half this thread does not want that

Yes and yes. I for one do not want discord to have ptrace, but I can do that on my end so I don't care much what the default is.

Discord has a ui switch for it

Where? I looked through the entire settings menu and could not find one, nor can I now with internet searches.

However if the decision has been made to no longer pursue autoconnection— perhaps the permission should be denied by default, maybe a PR is in order?

Agreed. The current default behavior is agreeably broken, and this is the smallest change that fixes it (as it's denied now, just less quietly). The readme will still be there for people who want to enable it (though might need re-wording), though I for the life of me cannot tell what feature needs ptrace (as previously stated, everything that should need it seems to work without it) and therefore I cannot imagine anyone going out of their way to enable it.

[andoks]

I myself would really like it if the discord snap would deny the above mentioned instead of logging them.

Alternatively this sounds like a case for some way for users to be able to add permanent modifications to their snap app profiles, in theory this could perhaps even be some sort of GUI, but that would probably be a lot of work if it doesn't exist already. One alternative perhaps could be to have some sort of patch files that are automatically applied to new versions or something like that.

The solution is technically to have that be autoconnected but half this thread does not want that

Yes and yes. I for one do not want discord to have ptrace, but I can do that on my end so I don't care much what the default is.

Same here, I do not need discord to announce my activities, or even for it to know about it itself.

[memory-thrasher]

users to be able to add permanent modifications to their snap app profiles, in theory this could perhaps even be some sort of GUI

That's not a bad idea, but is way beyond what this repo is about. That would be a feature of snap or a new package entirely.

I do not need discord to announce my activities, or even for it to know about it itself.

Again, discord seems to do this even while ptrace is denied. ptrace being denied does not seem to affect what features work at all in my testing. Your (andoks) deny /proc/* rule is what keeps that from happening.

[memory-thrasher]

@godmar

getcap /snap/discord/204/usr/share/discordgetcap /snap/discord/204/usr/share/discord/Discord shows empty and it's not setuid, either. So (fortunately) not that outlandish. I'm glad I'm not running a setuid executable with a 164MB large text segment.

Turns out discord tarball and snap behave very differently, but both use an external suid binary to gain temporary elevation and then capabilities from there.

snap:

strace shows that executing /snap/bin/discord executes /snap/snapd/21759/usr/lib/snapd/snap-confine which is suid. (I expect the number 21759 to vary, idk what it is). Snap elevates for the purpose allowing it to sandbox. If I run it from a non-suid mount, also via strace, it spits out this very clear message:

write(2, "need to run as root or suid", 27need to run as root or suid) = 27

When allowed to run normally, the snap discord wrapper eventually calls the actual discord binary like so:

/snap/discord/204/usr/share/discord/Discord --use-tray-icon --no-sandbox --disable-seccomp-filter-sandbox

While that binary runs as the normal user, it clearly has capabilities that were set up by (and inherited from) the "confine" process. From previous experience, --no-sandbox --disable-seccomp-filter-sandbox are both chrome cli options. Discord uses the chrome library to render itself since it is essentially an installed web application.

tarball:

The discord tarball includes a bundled install of chrome, including a binary called chrome-sandbox which is also suid. Running the Discord binary without arguments and under a apparmor profile that denies suid results in this error:

[20584:0817/135702.998411:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that [redacted]/Discord/chrome-sandbox is owned by root and has mode 4755.

I am currently working on creating a restrictive apparmor profile that will allow me to run discord without snap nor the obtrusive system calls.