Wrong steam snapd apparmor profile breaks proton games.

Roman2dot0 commented 6 months ago

Ensure there isn't an existing issue for this and check the wiki

[X] This issue is not a duplicate and I have checked the wiki.

Current Behavior

Launch a game that uses proton, Frostpunk for example, game will crash. Proton version is 8.0-4.

Expected Behavior

Game starts without errors.

Steps To Reproduce

No response

Environment

os_release:
    name:               "Ubuntu"
    version:            "24.04 (Noble Numbat)"
snap_info:
    steam_revision:     171
    snapd_revision:     20671
lspci:
    00:02.0:            Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] (rev 01)
glxinfo:
    gpu:                Mesa Intel(R) Xe Graphics (TGL GT2)
    gpu_version:        4.6 (Core Profile) Mesa 23.3.2 - kisak-mesa PPA
lscpu:
    model_name:         11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
xdg_current_desktop:    KDE
desktop_session:        plasmawayland

gaming-graphics-core22 version

kisak-fresh (default)

Anything else?

Game fail with log:

bwrap: Can't mount tmpfs on /newroot/var/pressure-vessel/ldso: Permission denied
4/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.
ERROR: ld.so: object '/home/roman/snap/steam/common/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
ERROR: ld.so: object '/home/roman/snap/steam/common/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
ERROR: ld.so: object '/home/roman/snap/steam/common/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
pressure-vessel-wrap[58830]: W: Failed to load Vulkan ICD #0 from /var/lib/snapd/lib/vulkan/icd.d/nvidia_icd.json: openat(/var/lib/snapd/lib/vulkan/icd.d/nvidia_icd.json): No such file or directory
pressure-vessel-wrap[58830]: W: "snap/steam/171/graphics/usr/share/libdrm" is unlikely to appear in "/run/host"
pressure-vessel-wrap[58830]: W: "snap/steam/171/graphics/usr/share/libdrm" is unlikely to appear in "/run/host"
pressure-vessel-wrap[58830]: W: "snap/steam/171/graphics/usr/share/drirc.d" is unlikely to appear in "/run/host"

/newroot/var/pressure-vessel/ldso

But in the appararmor profile in file:

/var/lib/snapd/apparmor/profiles/snap.steam.steam

only allow for tmpfs mount is:

mount fstype=tmpfs options=(rw, nosuid, nodev) tmpfs -> /newroot/run/pressure-vessel/ldso/,

adding the same line with var to the mount path (and reload) solves the problem and the game starts normally:

mount fstype=tmpfs options=(rw, nosuid, nodev) tmpfs -> /newroot/var/pressure-vessel/ldso/,

apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.steam.steam

Roman2dot0 commented 6 months ago

Sorry, maybe it related with

https://github.com/canonical/steam-snap/issues/350

eth481642 commented 6 months ago

Can confirm the issue. It started to happen after recent update of Steam Linux Runtime 3.0 (sniper). As a temporary workaround, you can downgrade this update: find "Steam Linux Runtime 3.0 (sniper)" in your Steam Library in Tools section, select "Properties -> Beta Versions" and select "previous_release". But for permanent solution, snap AppArmor profile need to be adjusted

ashuntu commented 6 months ago

Thank you for testing the app armor changes, I'll see about submitting a PR to snapd.

smcv commented 6 months ago

Thank you for testing the app armor changes, I'll see about submitting a PR to snapd.

As with previous AppArmor problems, instead of trying to narrow down precisely what Steam does and doesn't do today, please allow anything that is consistent with snapd's security policy: for example instead of

mount fstype=tmpfs options=(rw, nosuid, nodev) tmpfs -> /newroot/run/pressure-vessel/ldso/,
mount fstype=tmpfs options=(rw, nosuid, nodev) tmpfs -> /newroot/var/pressure-vessel/ldso/,

please do something more like this (untested) if there is no security reason not to:

mount fstype=tmpfs options=(rw, nosuid, nodev) * -> /newroot/**/,

That will make it much less likely that a future change in pressure-vessel will randomly break the Snap app.

The precise paths used within the pressure-vessel namespace are implementation details, and will be changed whenever there is some reason why we need to change them. This Snap app cannot rely on them remaining constant.

If this Snap app is something that Canonical wants to recommend and support, then I would suggest that at least one of its developers should routinely be running the Steam Linux Runtime compatibility tools from their client_beta branch, so that you will find out about changes to internal implementation details before your users do.

smcv commented 6 months ago

As a temporary workaround, you can downgrade this update: find "Steam Linux Runtime 3.0 (sniper)" in your Steam Library in Tools section, select "Properties -> Beta Versions" and select "previous_release"

This is a very temporary workaround, and will stop working as soon as there is a new release (which will also overwrite the previous_release).

The way to avoid having to rely on the previous_release is to make sure that a maintainer of the Snap app follows the beta branch, so that they will find out about future problems before they become current problems; or, alternatively, use the non-Snap version of Steam that is maintained and supported by Valve.

smcv commented 6 months ago

As of yesterday's Steam beta client, the container runtime framework is required for the Steam UI and not just for specific games.

smcv commented 6 months ago

It started to happen after recent update of Steam Linux Runtime 3.0 (sniper)

Steam Linux Runtime 2.0 (soldier) is equally affected by this, in fact.

Today's beta releases of Steam Linux Runtime 2.0 (soldier) and 3.0 (sniper) contain a temporary workaround for this Snap-specific issue. If you were using the previous_release for either of these for this reason, please upgrade to the client_beta branch.

In versions with the workaround, steamapps/common/SteamLinuxRuntime_*/VERSIONS.txt will say pressure-vessel 0.20240123.2 or later.

The workaround adds additional complexity to the container runtime framework, which is bad for robustness in the long term (for everyone, not just Snap users), so it will be removed in a future release. If snapd is not fixed before that happens, then this app will regress again. [Edited to add: I believe snapd was fixed in 2.62.]

After the workaround has progressed to the stable/default branch, maintainers can test whether a fix for this issue has been successful by replacing both SteamLinuxRuntime_soldier/pressure-vessel and SteamLinuxRuntime_soldier/pressure-vessel with a version of the pressure-vessel tool that did not have this workaround, by unpacking one of the pressure-vessel-bin.tar.gz archives from https://repo.steampowered.com/pressure-vessel/snapshots/. The newest version that does not have the workaround is 0.20240123.2. The full status is:

0.20231128.0 or older: unaffected by this issue
0.20231208.0 to 0.20240123.2 inclusive: affected by this issue
0.20240124.1 to 0.20240422.0 inclusive: have a workaround for this issue
0.2024053.0 or newer: workaround is not enabled by default (not needed with snapd 2.62+)

vczb commented 5 months ago

Can confirm the issue. It started to happen after recent update of Steam Linux Runtime 3.0 (sniper). As a temporary workaround, you can downgrade this update: find "Steam Linux Runtime 3.0 (sniper)" in your Steam Library in Tools section, select "Properties -> Beta Versions" and select "previous_release". But for permanent solution, snap AppArmor profile need to be adjusted

Work for me thanks a lot

smcv commented 5 months ago

select "Properties -> Beta Versions" and select "previous_release"

There is probably going to be a new stable release and a new beta soon, perhaps as soon as today, at which point this workaround will stop working - in fact, at that point it will probably be only the previous_release where this issue is seen. The precise timing of these releases is not something that I have control over.

At that point, you will need to upgrade to the default or client_beta branch to be able to continue to use Proton.

You can get ahead of this change by starting to use the client_beta branch already. As announced in https://github.com/canonical/steam-snap/issues/356#issuecomment-1912411145, the client_beta branch has a workaround for this issue on the Steam Linux Runtime side.

[Edited to add: Yes, these releases happened on 2024-02-12 at around 21:00 UTC.]

smcv commented 1 month ago

If I'm keeping track correctly, this was fixed in snapd 2.62, which is mandatory since #367. As a result, the pressure-vessel version included in yesterday's SLR soldier and sniper beta releases disables our workaround for this issue by default. If there are no regression reports in the next few days/weeks, we will remove the workaround completely.

I edited https://github.com/canonical/steam-snap/issues/356#issuecomment-1912411145 to reflect the current status.

If it becomes necessary to re-enable the workaround, you can do this:

Report an issue to https://github.com/ValveSoftware/steam-runtime/issues so we can enable it by default again, and so that we know that we can't delete the implementation of the workaround yet
Run with PRESSURE_VESSEL_WORKAROUNDS="+steam-snap#356" in the environment (if you need to use more than one workaround, it's a space-separated list)

canonical / steam-snap