snap-confine has elevated permissions and is not confined but should be

davidshare

New Member
Joined
Oct 4, 2024
Messages
8
Reaction score
1
Credits
64
I can't run any snap applications on my linux machine since I removed and installed snap. The challenge came when I was trying to fix apparmor blocking multipass on my linux machine.

Code:
snap version                                                                                                                                                   01:13:28
snap    2.63.1+24.04
snapd   2.63.1+24.04
series  16
ubuntu  24.04
kernel  6.8.0-45-generic

Code:
sudo service apparmor status                                                                                                                                   01:10:29
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled)
     Active: active (exited) since Fri 2024-10-04 00:46:12 WAT; 24min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 1092 (code=exited, status=0/SUCCESS)
        CPU: 562ms

Oct 04 00:46:12 davidshare apparmor.systemd[1092]: Restarting AppArmor
Oct 04 00:46:12 davidshare apparmor.systemd[1092]: Reloading AppArmor profiles
Oct 04 00:46:12 davidshare systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Oct 04 00:46:12 davidshare apparmor.systemd[1239]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Oct 04 00:46:12 davidshare systemd[1]: Finished apparmor.service - Load AppArmor profiles.

Things I have tried:

sudo apparmor_parser -r /etc/apparmor.d/snap-confine

$ sudo systemctl enable --now apparmor.service
$ sudo systemctl enable --now snapd.apparmor.service

$ sudo service start snapd
$ sudo systemctl enable snapd.service
$ sudo systemctl enable --now snapd.service

sudo apparmor_parser -r /etc/apparmor.d/snap-confine
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

Code:
sudo aa-status | grep snap                                                                                                                                     01:12:20
   /snap/core/17200/usr/lib/snapd/snap-confine
   /snap/core/17200/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/21759/usr/lib/snapd/snap-confine
   /snap/snapd/21759/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince//snap_browsers
   /usr/bin/snap//passt
   /usr/bin/snap//sanitized_helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   snap-update-ns.core
   snap-update-ns.firefox
   snap-update-ns.multipass
   snap-update-ns.snap-store
   snap-update-ns.telegram-desktop
   snap.core.hook.configure
   snap.firefox.firefox
   snap.firefox.geckodriver
   snap.firefox.hook.configure
   snap.firefox.hook.disconnect-plug-host-hunspell
   snap.firefox.hook.post-refresh
   snap.multipass.gui
   snap.multipass.hook.configure
   snap.multipass.hook.install
   snap.multipass.hook.post-refresh
   snap.multipass.hook.pre-refresh
   snap.multipass.hook.remove
   snap.multipass.multipass
   snap.multipass.multipassd
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
   snap.telegram-desktop.hook.configure
   snap.telegram-desktop.telegram-desktop
   /usr/bin/snap
   /snap/multipass/13186/usr/sbin/dnsmasq (2173) multipass.dnsmasq
   /snap/multipass/13186/bin/multipassd (1777) snap.multipass.multipassd

I have also tried removing snap and installing it again. That doesn't work either.
 


Oh! this forum is totally for linux mint? Because I am not using mint. I am using ubuntu.
 
I can't run any snap applications on my linux machine
The above is why I answered for Linux

I have zero experience regarding snaps.

Be patient, someone will come along who can help.

In the meantime, a read of the article I linked to may be worth considering
 
I can't run any snap applications on my linux machine since I removed and installed snap
All snaps or just a specific one, have you tried multiple snaps? So you just removed and then reinstall snap?

The challenge came when I was trying to fix apparmor blocking multipass on my linux machine.
/snap/multipass/13186/usr/sbin/dnsmasq (2173) multipass.dnsmasq /snap/multipass/13186/bin/multipassd (1777) snap.multipass.multipassd
What's multipass?

Things I have tried:
I would think if you reinstall snap Apparmor does it's thing automatically, I don't use Ubuntu that much and on the system that I use it I have removed snapd and am using flatpaks instead.
 
All the snaps. Nothing that is installed with snapd works on my computer right now. In fact, I can't even adjust my system volume, I have to do that on the apps I am using.

Multipass is a tool for provisioning Linux machines on the local machine. But right now it is a snap and apparmor issue:

 
All snaps or just a specific one, have you tried multiple snaps? So you just removed and then reinstall snap?



What's multipass?


I would think if you reinstall snap Apparmor does it's thing automatically, I don't use Ubuntu that much and on the system that I use it I have removed snapd and am using flatpaks instead.
I appears some files are still left behind after removing it, so the issue persists.
 
I appears some files are still left behind after removing it, so the issue persists.
Are we to assume you do not know how to remove snaps completely.?

Answering the questions asked of you would be a really good first step @davidshare

if apparmor has a problem with multipass that indicates strongly that at least part of the problem lies in the use of multipass....not apparmor.

To remove snapd:

Code:
sudo apt autoremove --purge snapd

Copy and paste that command into terminal, so you don't make further mistakes

Another question......how long have you been running Linux/ubuntu ?
 
Are we to assume you do not know how to remove snaps completely.?

Answering the questions asked of you would be a really good first step @davidshare

if apparmor has a problem with multipass that indicates strongly that at least part of the problem lies in the use of multipass....not apparmor.

To remove snapd:

Code:
sudo apt autoremove --purge snapd

Copy and paste that command into terminal, so you don't make further mistakes

Another question......how long have you been running Linux/ubuntu ?
I have been using Ubuntu for about 6 years now.

The issue now is not just with multipass, it is with all snaps. After I uninstalled snapd and installed it again, all snaps stopped working.

I shared almost all the commands I ran above.

For the questions, I answered them. But let me respond here.

This affects all snap related installations. I basically cannot run any app that works with snap.

Multipass is a tool for provisioning virtual machines on your local computer. I use it for provisioning Kubernetes clusters for testing locally.

Yes, I removed snapd and purged it from my computer. Even used the locate command to look for any caches or residue files, so as not to have any config that will interfere. But I will run it again.

1728086291912.png
 
All snaps or just a specific one, have you tried multiple snaps? So you just removed and then reinstall snap?



What's multipass?


I would think if you reinstall snap Apparmor does it's thing automatically, I don't use Ubuntu that much and on the system that I use it I have removed snapd and am using flatpaks instead.
It affects all snaps now.

Multipass is a tool for provisioning virtual machines locally.
 
Try using Synaptic Pakcahe Manager to get rid of it.

I really do think your whole 'experience ' would change for the good if you were to use flatpaks

perhaps the people here would know the =many and various problems with spans

 
Multipass is a tool for provisioning virtual machines locally.
I had never heard of that before.

It affects all snaps now.
I installed a with the same Ubuntu version as you and removed snapd and reinstalled snapd and I was still able to launch snaps. However I think my situation isn't the same as yours since your output is also loading multipass things.

What happens when you stop apparmor?
Code:
sudo systemctl stop apparmor?
Are you able to open any snaps then?
 
when I stop apparmor, even Chrome and other services stop loading.
I had never heard of that before.


I installed a with the same Ubuntu version as you and removed snapd and reinstalled snapd and I was still able to launch snaps. However I think my situation isn't the same as yours since your output is also loading multipass things.

What happens when you stop apparmor?
Code:
sudo systemctl stop apparmor?
Are you able to open any snaps then?
 
when I stop apparmor, even Chrome and other services stop loading.
Try launching a snap from the terminal and see what the the output says, maybe that will give you an idea of where to look?
 
Try launching a snap from the terminal and see what the the output says, maybe that will give you an idea of where to look?
@davidshare
Or even better install lnav and monitor logs while you run snaps:

Bash:
sudo apt update
sudo apt install lnav
sudo lnav /var/log /var/log/apparmor

Once lnav runs repro your problem and the issue should appear in lnav log watch.

Then share your results from logs here.
To quit lnav press q key.
 
Last edited:
@davidshare
Or even better install lnav and monitor logs while you run snaps:

Bash:
sudo apt update
sudo apt install lnav
sudo lnav /var/log /var/log/apparmor

Once lnav runs repro your problem and the issue should appear in lnav log watch.

Then share your results from logs here.
To quit lnav press q key.
lnav didn't show any logs for the snap services I tried to run. So I used journalctl to grab some. I also checked the log directory for apparmor, and there was nothing there.

Code:
ct 05 12:28:05 davidshare kernel: audit: type=1400 audit(1728127685.823:940): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=33658 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:28:05 davidshare systemd[3214]: Started snap.multipass.multipass-367c6e65-172f-4201-9497-82141fb6421e.scope.
Oct 05 12:28:05 davidshare kernel: audit: type=1400 audit(1728127685.853:941): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=33672 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:28:05 davidshare systemd[3214]: Started snap.multipass.multipass-1b78031f-f4da-44e5-98a7-964f3ed21468.scope.
Oct 05 12:30:25 davidshare kernel: audit: type=1400 audit(1728127825.366:942): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=33852 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:30:25 davidshare systemd[3214]: Started snap.multipass.multipass-be42d2b3-0df3-408c-9615-89d55eccaf3d.scope.
Oct 05 12:30:27 davidshare kernel: audit: type=1400 audit(1728127827.388:943): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=33887 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:30:27 davidshare systemd[3214]: Started snap.multipass.multipass-e5c3278b-fc30-4aa4-b713-da5dd9ec08ba.scope.
Oct 05 12:32:32 davidshare kernel: audit: type=1400 audit(1728127952.735:944): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=34141 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:32 davidshare systemd[3214]: Started snap.multipass.multipass-51ef74b4-df40-4982-a665-9a3d6afcc447.scope.
Oct 05 12:32:36 davidshare kernel: audit: type=1400 audit(1728127956.325:945): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=34164 comm="multipass" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:36 davidshare systemd[3214]: Started snap.multipass.multipass-41e2254d-9e14-4279-8cf2-3b6cc220f065.scope.
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.911:946): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/core/17200/usr/lib/snapd/info" pid=34197 comm="hello-world" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.914:947): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/var/lib/snapd/inhibit/hello-world.lock" pid=34197 comm="hello-world" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.914:948): apparmor="ALLOWED" operation="file_lock" class="file" profile="/usr/bin/snap" name="/var/lib/snapd/inhibit/hello-world.lock" pid=34197 comm="hello-world" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.914:949): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/snap/hello-world/29/meta/snap.yaml" pid=34197 comm="hello-world" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.914:950): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/var/lib/snapd/sequence/hello-world.json" pid=34197 comm="hello-world" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 05 12:32:54 davidshare kernel: audit: type=1400 audit(1728127974.937:951): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/snap" name="/var/lib/snapd/cookie/snap.hello-world" pid=34197 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 05 12:32:54 davidshare systemd[3214]: Started snap.hello-world.hello-world-932f8ab6-de9a-4825-b994-e8389ffa25ff.scope
1728128121760.png
 
So I used journalctl to grab some.
The output you shared is from auditd log which will not show any denials by default as per man page:

man apparmor
Bash:
   Turn off deny audit quieting
       By default, operations that trigger "deny" rules are not logged.  This is called deny audit quieting.

       To turn off deny audit quieting, run:

               echo -n noquiet >/sys/module/apparmor/parameters/audit

lnav didn't show any logs for the snap services I tried to run.
It may not show anything obvious, you should look at yellow and red lines, but apparmor related logs will be put into audit.log, you just have to enable loging DENY messages.
 
 

Members online


Latest posts

Top