Camera freeze when enabling "Blur My Background"

[hadim]

It seems to happen only with the snap package.

[fabianjarrett-ncc]

Same for me. It will freeze the whole time it's enabled but will work as soon as I disable the blur again.

[manuschneider]

Same problem here. Since this is very important for working from home, I would appreciate it if this could be fixed. I had the problem before, and installing zoom by hand (downloaded from the zoom website, not via this snap) was the only solution. This still works, but then I cannot share my desktop, which is also very important for me. I would prefer to use the snap therefore.

Some technical information (in case it matters): Ubuntu: 22.04.3 LTS Windowing system: X11 Zoom: 5.16.6 (382) CPU: 12th Gen Intel Core i7-1260P GPU: NVIDIA Corporation / Mesa Intel Graphics (ADL GT2)

[dfranklin-at-bg]

Still an issue.

[rolandd]

I managed to get this working on my system, but I'm not sure what the snap-approved solution is given what I found. I needed to do two things (found based on looking at audit logs while trying to turn on background blur; it seems zoom spawns an external helper to do the blur, and snap confinement breaks the way the main zoom thread communicates with this helper):

First, based on audit lines like:

[187707.108641] audit: type=1400 audit(1710440232.206:1252): apparmor="DENIED" operation="mknod" class="file" profile="snap.zoom-client.zoom-client" name="/dev/shm/aomshm.337bce.0" pid=3374030 comm="vda_thread" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I updated the apparmor profile to add:

/{dev,run}/shm/aomshm.* rw,
/{dev,run}/shm/sem.* rwl,

That still wasn't enough; I saw audit messages for POSIX mq system calls (240, 241, etc on x86-64) being blocked, so I updated the seccomp bpf file with:

mq_open
mq_unlink
mq_getsetattr
mq_timedsend
mq_timedreceive

With those two changes I now have background blur working again on my Zoom snap. However my understanding is that there is still no apparmor safe way to enable POSIX mqs for snaps so I'm not sure how to fix this "properly." Maybe @ogra1 can comment.

Anyway hope this helps other people.

[wimex]

On Fedora 40, it was enough to just do the second part (I think it doesn't have AppArmor). I had to investigate how to modify seccomp rules, so here it is: As root, edit /var/lib/snapd/seccomp/bpf/snap.zoom-client.zoom-client.src, add

mq_open
mq_unlink
mq_getsetattr
mq_timedsend
mq_timedreceive

Regenerate the rules: sudo /snap/snapd/current/usr/lib/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.zoom-client.zoom-client.src /var/lib/snapd/seccomp/bpf/snap.zoom-client.zoom-client.bin2

[manuschneider]

I tried this in Ubuntu, without success.

I followed the guide provided by @wimex, where I found snap-seccomp in /snap/core/*VERSION*/usr/lib/snapd/snap-seccomp. This did not work.

Additionally, I added the lines to /var/lib/snapd/apparmor/profiles/snap.zoom-client.zoom-client in the section profile "snap.zoom-client.zoom-client":

/{dev,run}/shm/aomshm.* rw,
/{dev,run}/shm/sem.* rwl,

Both did not work to fix the issue. Did I do something wrong or is this not a general fix?

Ubuntu 12.6, zoom-client 6.0.12.5501

[pbui]

I was able to get this to work by adding the follwoing to snap/snapcraft.yaml:

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index c8647f7..5f8e870 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -56,6 +56,8 @@ plugs:
   browser-sandbox:
     interface: browser-support
     allow-sandbox: true
+  shared-memory:
+    private: true

This should fix the /dev/shm issues. I still had to patch the /var/lib/snapd/seccomp/bpf/snap.zoom-client.zoom-client.src file and compile that. I'm looking into how this can be done w/in the snap package itself, but with those two things, it works with 6.0.12.5501.

[rolandd]

Thanks for the shared-memory: tip, it's good to have more snap building knowlege here. I hope it's OK if I send a PR to add that to the repository here.

For the POSIX MQ stuff, unfortunately it seems that Zoom creates message queues with names like us.zoom.aom.globalmgr.2017304.rpc that do not meet the snap posix-mq interface requirements of "Each path must adhere to the POSIX message queue naming scheme, outlined on the mq_overview man page". So I think a snapd change is required before the zoom snap can work, and there's probably some thought required to make something that is isolated and secure, although it should be doable (Zoom just wants to communicate between processes that all belong to the same snap).

[pbui]

Actually, I got it to work with posix-mq:

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index c8647f7..543c304 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -42,6 +42,7 @@ apps:
       - network-bind
       - network-manager-observe
       - opengl
+      - posix-mq
       - pulseaudio
       - removable-media
       - screencast-legacy
@@ -56,12 +57,24 @@ plugs:
   browser-sandbox:
     interface: browser-support
     allow-sandbox: true
+  shared-memory:
+    private: true

 hooks:
   configure:
     plugs:
       - system-observe

+slots:
+    dummymq:
+      interface: posix-mq
+      path: [/zoom,]
+      permissions:
+        - read
+        - write
+        - create
+        - delete
+
 layout:
   /etc/os_release:
     symlink: $SNAP_DATA/os-release

Basically, include the posix-mq plug and then create a dummy slot that won't be used. That is enough to add the necessary mq_* syscalls to the seccomp allowlist.

Feel free to update your PR with this.

[rolandd]

@pbui — unfortunately, it seems the "dummymq" trick is no longer sufficient, at least on my Ubuntu 24.04 system — I built a snap package against the latest upstream (7da9378701cc) plus the proposed patch based on your suggestions, and when I install it, I get the following:

2024-09-03T16:43:31-07:00 INFO snap "zoom-client" has bad plugs or slots: dummymq
(AppArmor does not support POSIX message queues - cannot setup or connect interfaces)

and indeed trying to use background blur gives the old messages:

[194012.483117] audit: type=1326 audit(1725398913.837:575): auid=1000 uid=1000 gid=1000 ses=4 subj=snap.zoom-client.zoom-client pid=3488246 comm="vda_thread" exe="/snap/zoom-client/x6/zoom/zoom" sig=0 arch=c000003e syscall=240 compat=0 ip=0x7756e3a7724d code=0x50000

where system call 240 on x86-64 is mq_open.

[pbui]

Hmm. Unfortunately, I've given up on the snap and just use the web client now since I cannot get Zoom 6.1 to do screensharing properly on Ubuntu 24.04.

I may try to look into this in the future, but for now, the web client works for my purposes (and I no longer need background blur), so I will not be using the snap anytime soon.

[rolandd]

It seems the snap message about "AppArmor does not support POSIX message queues" was a snap bug - with the latest snap-core and zoom package built with my PR, background blur is working again on Ubuntu 24.04.

@ogra1 it would be really great to land https://github.com/ogra1/zoom-snap/pull/130 so everyone can stop bugging you about this.

[rolandd]

OK, and now with the very latest snapd we're back to an issue with posix mqueues - current snap will only create AppArmor rules to allow mqueues by specific path, but it only allows paths with no wildcards (ie no "AAREs"), but zoom uses mqueues with names like "/us.zoom.aom.globalmgr.483000.rpc". So again it seems we're back to needing upstream changes to support Zoom.