[Bug 1225961] New: plasmashell crashes with SIGTRAP starting with snapshot 20240531
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1225961 Bug ID: 1225961 Summary: plasmashell crashes with SIGTRAP starting with snapshot 20240531 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: KDE Workspace (Plasma) Assignee: opensuse-kde-bugs@opensuse.org Reporter: marcec@gmx.de QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 875305 --> https://bugzilla.suse.com/attachment.cgi?id=875305&action=edit Example core dump Since upgrading to snapshot 20240531 plasmashell crashes consistently. The only way I've found to prevent it is to change the AppArmor profile from "enforce" to "complain". What I want to figure out is whether this is due to a bug or an (accidental) misconfiguration on my end. Manually running `plasmashell --replace` in a terminal gave the following output: % cat tmp/plasma_bug.log KPackageStructure of KPluginMetaData(pluginId:"org.kde.plasma.worldclock", fileName: "/usr/share/plasma/plasmoids/org.kde.plasma.worldclock/metadata.json") does not match requested format "Plasma/Applet" kf.coreaddons: The plugin "/usr/lib64/qt6/plugins/plasma5support/dataengine/plasma_engine_wacomtablet.so" explicitly states an Id in the embedded metadata, which is different from the one derived from the filename The Id field from the KPlugin object in the metadata should be removed kf.plasma.quick: Applet preload policy set to 1 file:///usr/share/plasma/plasmoids/org.kde.desktopcontainment/contents/ui/main.qml:196:25: QML FolderViewDropArea (parent or ancestor of QQuickLayoutAttached): Binding loop detected for property "minimumWidth" file:///usr/share/plasma/wallpapers/org.kde.image/contents/ui/main.qml:14:1: QML WallpaperItem: grabToImage: item's window is not visible file:///usr/share/plasma/plasmoids/org.kde.desktopcontainment/contents/ui/main.qml:196:25: QML FolderViewDropArea (parent or ancestor of QQuickLayoutAttached): Binding loop detected for property "minimumWidth" Path override failed for key base::DIR_APP_DICTIONARIES and path '/usr/bin/qtwebengine_dictionaries' LaunchProcess: failed to execvp: /usr/libexec/qt6/QtWebEngineProcess LaunchProcess: failed to execvp: /usr/libexec/qt6/QtWebEngineProcess [13751:13751:0603/211905.963992:FATAL:zygote_host_impl_linux.cc(208)] Check failed: . : Datei oder Verzeichnis nicht gefunden (2) (I couldn't figure out how to get the error message in English, exporting LANG=C or LC_ALL=C before running didn't work. In any case it's "file or directory not found".) (An example core dump as produced by `coredumpctl info` is also attached.) Googling for that final error message led me to various reports relating to Chrome having issues with AppArmor, which led me to the above-mentioned workaround. Running `sudo aa-complain plasmashell` allowed me to run plasmashell again. For completeness: before the workaround, the audit log contained lines like the following: type=AVC msg=audit(1717438261.829:263): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/libexec/qt6/QtWebEngineProcess" pid=6473 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" After the workaround the audit log has two lines like this: 393:type=AVC msg=audit(1717485012.556:257): apparmor="ALLOWED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/libexec/qt6/QtWebEngineProcess" pid=2403 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1225961 https://bugzilla.suse.com/show_bug.cgi?id=1225961#c1 Fabian Vogt <fabian@ritter-vogt.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fabian@ritter-vogt.de Component|KDE Workspace (Plasma) |AppArmor Assignee|opensuse-kde-bugs@opensuse. |suse-beta@cboltz.de |org | --- Comment #1 from Fabian Vogt <fabian@ritter-vogt.de> --- Reassigning to AppArmor. Looking at /etc/apparmor.d/plasmashell, it does mention QtWebEngineProcess but at a debian specific location, so that probably doesn't match and we can rule that out as cause. info="no new privs" is interesting: it means that the plasmashell process got no_new_privs set on it. I guess that might've been triggered by one of the plugins, maybe also WebEngine. That should by itself not prevent execution, but apparently with AppArmor it does? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1225961 https://bugzilla.suse.com/show_bug.cgi?id=1225961#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Fabian Vogt from comment #1)
Looking at /etc/apparmor.d/plasmashell, it does mention QtWebEngineProcess but at a debian specific location, so that probably doesn't match and we can rule that out as cause.
It indeed doesn't match, but that doesn't rule it out - actually it's a pointer to the issue.
info="no new privs" is interesting: it means that the plasmashell process got no_new_privs set on it. I guess that might've been triggered by one of the plugins, maybe also WebEngine. That should by itself not prevent execution, but apparently with AppArmor it does?
no_new_privs gets set by the kernel if a process has an AppArmor profile. You might have noticed that the rule for QtWebEngineProcess does cx -> &plasmashell//QtWebEngineProcess, instead of a simple cx to the child profile. This means "profile stacking", which avoids that _more_ no_new_privs restrictions get applied. The /** pux, rule is meant for applications started by plasmashell, which typically shouldn't get all those permissions. That said - I submitted the fix for this (adding the openSUSE path) upstream as https://gitlab.com/apparmor/apparmor/-/merge_requests/1248 and also submitted an updated package to Tumbleweed. If you want to test ASAP, you can pick the apparmor-profiles package from security:apparmor as soon as the build finishes. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1225961 https://bugzilla.suse.com/show_bug.cgi?id=1225961#c3 --- Comment #3 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1225961) was mentioned in https://build.opensuse.org/request/show/1178600 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com