Op di 15 nov. 2022 om 23:53 schreef John Johansen < [email protected]>:
> On 11/15/22 10:08, Sonixxfx wrote: > > Op di 15 nov. 2022 om 18:06 schreef John Johansen < > [email protected] <mailto:[email protected]>>: > > > > On 11/15/22 06:30, Sonixxfx wrote: > > > Hi, > > > > > > I was trying Apparmor today, but now my snaps won't run anymore. > I have tried a couple of things to solve it, including disabling Apparmor, > but it didn't help. > > > When i try to start Brave for example dmesg shows me: > > > > > > > how did you disable apparmor? > > > > systemctl disable apparmor > > > > or > > > > systemctl disable snapd.apparmor > > > > or > > > > systemctl stop apparmor > > > > or did you edit /etc/grub/defaults > > > > > > I ran > > > > sudo systemctl stop apparmor.service > > > this will unload policy and make everything unconfined until reboot or the > service is started again. It is important to note that restarting the > service will NOT re-confine applications that are unconfined. They must be > restarted. > > > to disable Apparmor. > > > > I ran > > > > sudo systemctl disable apparmor.service > > > > to unload the kernel module. > > this does not unload the kernel module, as apparmor is built into the > kernel. At this time there is no option to make an of the LSMs loadable > modules. What this does is partially disable systemd services that load > policy/manage state. > > Partially because it only does late stage service disabling, there is > early stage that can still run (not used by default on Ubuntu) and this can > really mess up your system. > > > > > > Should I have run: > > > > sudo systemctl disable snapd.apparmor ? > > > > no the only safe way to disable apparmor is to set apparmor=0 as a kernel > parameter, you can do this temporarily in grub when booting or in > /etc/defaults/grub and the update-grub > > > Oke, thanks. > > > brave_brave.desktop[9095]: snap-confine has elevated permissions > and is not confined but should be. Refusing to continue to avoid permission > escalation attacks > > > brave_brave.desktop[9095]: Please make sure that the > snapd.apparmor service is enabled and started. > > > > > > These messages are also shown when I have Apparmor enabled and > started. > > > > > > > what does aa-status return? > > > > > > I have already reinstalled my OS, sorry. But I am curious what you > answer to my question. > > > > > Can someone tell me how I can resolve this? > > > > > > > so snaps by-pass the apparmor userspace service and only use the > kernel component. They run their own service to manage snap confinement. > What do you get for > > > > systemctl status snapd.apparmor > > > > > > and of course if it is not running you can do > > > > systemctl start snapd.apparmor > > > > or make sure it runs after reboot > > > > systemctl enable snapd.apparmor > > > > > > Thanks for the info 😃 > >
