search

ArmCord / ArmCord

ArmCord is a custom client designed to enhance your Discord experience while keeping everything lightweight.
https://armcord.app
Open Software License 3.0
1.42k stars 74 forks source link

Accesses to /proc/*/cmdline cause millions of AppArmor violations #647

Open unpick opened 3 months ago

unpick commented 3 months ago

Describe the bug ArmCord appears to be continually scanning through /proc. Under Ubuntu, when ArmCord is installed via a snap, AppArmor objects to ArmCord's attempts to open the /proc/*/cmdline files. This results in countless entries like this in /var/log/syslog:

Jul 6 22:19:38 hostname kernel: [10003.301654] audit: type=1400 audit(1720322378.834:7085): apparmor="DENIED" operation="open" class="file" profile="snap.armcord.armcord" name="/proc/13034/cmdline" pid=23944 comm="armcord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

There are already over 400,000 lines like this in the syslog on my machine (there would be many more but the syslog gets so overloaded it has to drop most of them), and the syslog is more than 100 times larger than normal. This also causes a significant system load while ArmCord is running.

To Reproduce Steps to reproduce the behavior:

  1. On Ubuntu 22.04, run snap install armcord
  2. Run tail -f /var/log/syslog
  3. Start armcord
  4. See many errors

Expected behavior ArmCord should not behave in a way that triggers AppArmor. Grepping /proc/*/cmdline is sometimes used to find which commands are running (searching for other ArmCord instances?), but there are other ways to achieve this. Importantly, ArmCord should not retry these accesses in a tight loop. If it fails it should give up, maybe fall back to calling system("ps ..."), because AppArmor won't change its mind.

Desktop (please complete the following information):

Additional context This does not occur with any other snaps I have encountered so far.

smartfrigde commented 3 months ago

This is caused by arRPC process scanning. It tries to detect games. I would suggest you open an issue upstream, unless there's something I can do from packaging level to stop these violations (like giving additional permissions)?

unpick commented 3 months ago

(For the benefit of future readers, I believe that "arRPC process" in this context refers to a Node.js "process", which may loosely be thought of as an operating system thread. From a user perspective, it's the main ArmCore process that AppArmor's syslog entries refer to.)

You're right, disabling arRPC fixed this:

⚙️ > ArmCord Settings🔌 > Rich Presence (Experimental) > off

I've filed a ticket on the arRPC repository.

There is an AppArmor profile config generated when the snap is installed, in this case /var/lib/snapd/apparmor/profiles/snap.armcord.armcord ... that could be used to create an exemption.