Okular libGL Error when using 100% permissive AppArmor + bwrap (TW 20210524)

hubim · June 2, 2021, 6:36pm

When combining AppArmor and bwrap (both 100% permissive), one gets libGL error
messages (see below) when starting /usr/bin/okular. As long as one starts okular
only with one of those two, there are not libGL errors at all.

(1) bwrap without AppArmor => OK

When starting Okular in a permissive bwrap environment (without any
AppArmor configuration), everything works well:

bwrap --dev-bind / / /usr/bin/okular

=> no libGL error

(2) AppArmor without bwrap => OK

When putting a maximal permissive AppArmor configuration
in place (being in complain mode - nothing should be blocked at all)

abi <abi/3.0>,
include <tunables/global>
/usr/bin/okular flags=(complain) {
  include <abstractions/base>
  capability, network, mount, remount, umount, pivot_root, ptrace, signal, dbus, unix, file,
}

then okular starts without any error message:

/usr/bin/okular

=> no libGL error

(3) AppArmor + bwrap => libGL error

But when combining those two (both in 100% permissive
mode - for AppArmor configuration see (2)),

bwrap --dev-bind / / /usr/bin/okular

then I see the following error message:

libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915

Can anyone help me with that? A bug?

Many thanks.

System details:

Tumbleweed 20210524
okular-21.04.1-1.2.x86_64
bubblewrap-0.4.1-1.6.x86_64
apparmor-parser-3.0.1-7.1.x86_64

PS: I think somewhere I saw a comment that bubblewrap does
not support opengl. Nevertheless (1) seems to work (as does
glxgears, glxinfo, etc. with bubblewrap). Though somehow the
combination of AppArmor and bwrap (both permissive)
seems to break opengl (or parts of it).

hubim · June 2, 2021, 6:56pm

One more piece of information. In /var/log/audit/audit.log I see the following “allowed” messages by AppArmor …

type=AVC msg=audit(1622652489.369:12419): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="dev/dri/card0" pid=31174 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1622652489.373:12420): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="dev/dri/card0" pid=31174 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

It seems that bubblewrap causes removal of the leading slash

name="dev/dri/card0"

But still access seems to be allowed according to AppArmor:

apparmor="ALLOWED"

Even though the following part of the message

info="Failed name lookup - disconnected path" error=-13

does not look very promising. Tough maybe a bug in bubblewrap, but not in AppArmor?

hubim · June 4, 2021, 8:07am

I found out a bit more. When adding flag

flags=(attach_disconnected)

to the AppArmor profile of okular (not recommended),
then there are no “libGL errors” anymore in case (3 AppArmor+bwrap). See

man apparmor.d

for details about “attach_disconnected”.
Also the error messages about “dev/dri/card0” in “audit.log” are gone.

Unfortunately AppArmor complains about several other files now (which are
all allowed - since this AppArmor profile allows everything).

Though finally I think it is a bug in AppArmor and not in bwrap. Maybe AppArmor
is not properly prepared to deal with user namespaces. In any case the problem
must be on the side of AppArmor since the functionality of AppArmor should
not be altered by anything a user does in user space.