On 11/15/22 13:23, Sonixxfx wrote:
Op di 15 nov. 2022 om 19:08 schreef Sonixxfx <[email protected]
<mailto:[email protected]>
Sorry for mailing to you directly John.
Op di 15 nov. 2022 om 18:06 schreef John Johansen <[email protected]
<mailto:[email protected]>>:
On 11/15/22 06:30, Sonixxfx wrote:
> Hi,
>
> I was trying Apparmor today, but now my snaps won't run anymore. I
have tried a couple of things to solve it, including disabling Apparmor, but it
didn't help.
> When i try to start Brave for example dmesg shows me:
>
how did you disable apparmor?
systemctl disable apparmor
or
systemctl disable snapd.apparmor
or
systemctl stop apparmor
or did you edit /etc/grub/defaults
I ran
sudo systemctl stop apparmor.service
this will unload policy and make everything unconfined until reboot or the
service is started again. It is important to note that restarting the service
will NOT re-confine applications that are unconfined. They must be restarted.
to disable Apparmor.
I ran
sudo systemctl disable apparmor.service
to unload the kernel module.
this does not unload the kernel module, as apparmor is built into the kernel.
At this time there is no option to make an of the LSMs loadable modules. What
this does is partially disable systemd services that load policy/manage state.
Partially because it only does late stage service disabling, there is early
stage that can still run (not used by default on Ubuntu) and this can really
mess up your system.
Should I have run:
sudo systemctl disable snapd.apparmor ?
no the only safe way to disable apparmor is to set apparmor=0 as a kernel
parameter, you can do this temporarily in grub when booting or in
/etc/defaults/grub and the update-grub
> brave_brave.desktop[9095]: snap-confine has elevated permissions and
is not confined but should be. Refusing to continue to avoid permission escalation
attacks
> brave_brave.desktop[9095]: Please make sure that the snapd.apparmor
service is enabled and started.
>
> These messages are also shown when I have Apparmor enabled and
started.
>
what does aa-status return?
I have already reinstalled my OS, sorry. But I am curious what you answer
to my question.
> Can someone tell me how I can resolve this?
>
so snaps by-pass the apparmor userspace service and only use the kernel
component. They run their own service to manage snap confinement. What do you
get for
systemctl status snapd.apparmor
and of course if it is not running you can do
systemctl start snapd.apparmor
or make sure it runs after reboot
systemctl enable snapd.apparmor
Thanks for the info 😃
