Avoid AppArmor denials

[iramello]

Hi, I'm using Ubuntu 20.04, what are the required apparmor commands in order to prevent apparmor from denying fakecamera?
I've just ran

ivan@anecua:~$ sudo aa-complain /snap/bin/fakecam
Profile for /usr/bin/snap not found, skipping

But doesn't seem to help.

kern.log:

[63332.841584] audit: type=1400 audit(1604402735.001:6886): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/sys/fs/cgroup/cpuset/cpuset.cpus" pid=127586 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[63839.639750] audit: type=1400 audit(1604403241.799:6887): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/127118/mountinfo" pid=127118 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[63839.639772] audit: type=1400 audit(1604403241.799:6888): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/127118/mounts" pid=127118 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I get a black video when opening fakecamera.
My suggestion for you is to add an apparmor profile in an installation so it doesn't get blocked wherever it's enabled.
Thanks in advance for your help.

[lucyllewy]

I'm really not sure what the cause of the black screen is, but I have noticed that if you "turn it off and on again" that usually fixes it

[iramello]

Thanks for the quick reply @diddledan
I'm quite sure it's due to AppArmor constantly blocking the app 🤦‍♂️
Unfortunately that workaround does not work for me

[AndyChatwin]

Hi,
I'm using Ubuntu 20.04 and getting the same black screen and appArmor denials.
re starting the app does not change the issue. Do you have any other thoughts?
Thanks for your help

[iramello]

I just temporarily disabled apparmor (apparmor=0 as kernel parameter in grub) No more denials of course but I still get black screen :(
What else I could try?
Thanks

[paulikt]

I am having the same issue on 20.04, still no idea though how to fix it.
The high CPU load is normal?

[Nisc3d]

I also have this problem. AppArmor is showing denied messages and the output is black in Discord or Microsoft Teams. If I open /dev/video20 in VLC it works, but the image is also blue. And the CPU usage is very high.

[psychoatberea]

Also having this issue on 20.04, I get a 40+ second lag on video, only a couple of frames here and there. I had uninstalled the snap and re-installed it fresh later, and had great success, was able to do a meeting a few days later. Tried to launch it today, and at first I didn't get anything, then after a reboot I was back to the really laggy operation I had before I re-installed. Running on AMD® Fx-8800p radeon r7, 12 compute cores 4c+8g × 4, 64 bit architecture, AMD® Bonaire / AMD® Radeon r7 graphics on a Lenovo laptop. I'm odd man out, CPU was kicking at max 10%.

Jan  6 21:08:47 The kernel: [  455.604034] audit: type=1400 audit(1609985327.445:80): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/5191/mounts" pid=5191 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  6 21:08:51 The python3[5191]: Theme parsing error: gtk.css:1555:23: 'font-feature-settings' is not a valid property name
Jan  6 21:08:51 The python3[5191]: Theme parsing error: gtk.css:3591:25: 'font-feature-settings' is not a valid property name
Jan  6 21:08:51 The python3[5191]: Theme parsing error: gtk.css:4053:23: 'font-feature-settings' is not a valid property name
Jan  6 21:08:51 The kernel: [  460.051125] audit: type=1400 audit(1609985331.893:81): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/5191/mountinfo" pid=5191 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  6 21:08:51 The kernel: [  460.051212] audit: type=1400 audit(1609985331.893:82): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/etc/fstab" pid=5191 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan  6 21:08:51 The kernel: [  460.051231] audit: type=1400 audit(1609985331.893:83): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/5191/mountinfo" pid=5191 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  6 21:08:51 The kernel: [  460.051245] audit: type=1400 audit(1609985331.893:84): apparmor="DENIED" operation="open" profile="snap.fakecam.gui" name="/proc/5191/mounts" pid=5191 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  6 21:08:51 The python3[5191]: Error creating IO channel for /proc/self/mountinfo: Permission denied (g-file-error-quark, 2)

Not sure if it helps any, I didn't see any other posts that had a solution (then again, there could have been one right in front of me...).

[TobiPeterG]

Unfortunately, I have the same issue.
The window is just black, on latest Ubuntu 21.04.

Has anyone already found a fix?

[patbakdev]

This worked for me. But I have zero experience with app armor and I have no idea how of much of a security risk these settings are (especially the /proc change):

In both of these files:
/var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam
/var/lib/snapd/apparmor/profiles/snap.fakecam.gui

I added the following before the last }

/dev/video* rw,
/proc/*/mount rw,

Then run the command to reload:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.fakecam.*

[TobiPeterG]

This worked for me. But I have zero experience with app armor and I have no idea how of much of a security risk these settings are (especially the /proc change):

In both of these files:
/var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam
/var/lib/snapd/apparmor/profiles/snap.fakecam.gui

I added the following before the last }

/dev/video* rw,
/proc/*/mount rw,

Then run the command to reload:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.fakecam.*

Interesting, I added these lines, but I still get apparmor denials

[patbakdev]

I did get a denial for /proc/sys/vm/nr_hugepages, but it runs for me. What are the specific denials?
I am on Manjaro-5.10.56-1. And am running from the --beta snap, but I think it should work with stable.

The GUI is also asking for /proc/*/mountinfo and /etc/fstab. I don't know why it needs the last one.
Also, these files seemed to have reverted back (my changes are no longer there)

[patbakdev]

This is very strange. The CLI works; the GUI works (minus preview image), but those files no longer have my changes (I even reloaded them to see if it would stop working) and I am getting apparmor DENIED for mount, mountpoints, nr_hugepages, but not video*.

When I took a closer look at the profile file it actually already had /dev/video[0-9]* rw, so I wonder if everything in the profiles were correct, but I somehow trigger a load that wasn't working for some reason.

Time for a reboot. :)

[patbakdev]

Still works for me after a reboot. But I don't know why.