Bug#993783: snapd: AppArmor profile breaks snaps

Andrea V Mon, 06 Sep 2021 04:51:16 -0700

Package: snapd
Version: 2.51.7-1
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: [email protected]


Dear Maintainer,

   * What led up to the situation? Trying to run a "classic" snap.
   * What exactly did you do (or not do) that was effective (or
     ineffective)? Just tried to run the snap.
   * What was the outcome of this action? AppArmor DENIED and snap not starting
   * What outcome did you expect instead? Snap to run properly

The AppArmor profile for /usr/lib/snapd/snap-confine prevents snaps such
as slack and spotify to run at all:

----
$ slack
cannot change profile for the next exec call: No such file or directory

$ spotify 
WARNING: cgroup v2 is not fully supported yet, proceeding with partial 
confinement
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1
----

----
Sep 06 13:47:04 XXX kernel: audit: type=1400 audit(1630928824.498:38): 
apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 
profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.spotify" pid=10039 
comm="snap-confine"
Sep 06 13:47:04 XXX kernel: audit: type=1400 audit(1630928824.498:37): 
apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" 
pid=10025 comm="snap-confine" capability=4  capname="fsetid"
Sep 06 13:47:04 XXX audit[10039]: AVC apparmor="DENIED" 
operation="change_onexec" info="label not found" error=-2 
profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.spotify" pid=10039 
comm="snap-confine"
Sep 06 13:47:04 XXX audit[10025]: AVC apparmor="DENIED" operation="capable" 
profile="/usr/lib/snapd/snap-confine" pid=10025 comm="snap-confine" 
capability=4  capname="fsetid"
Sep 06 13:46:59 XXX audit[9942]: AVC apparmor="DENIED" 
operation="change_onexec" info="label not found" error=-2 
profile="/usr/lib/snapd/snap-confine" name="snap.slack.slack" pid=9942 
comm="snap-confine"
Sep 06 13:46:59 XXX kernel: audit: type=1400 audit(1630928819.269:36): 
apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 
profile="/usr/lib/snapd/snap-confine" name="snap.slack.slack" pid=9942 
comm="snap-confine"
----

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages snapd depends on:
ii  adduser          3.118
ii  apparmor         3.0.3-2
ii  ca-certificates  20210119
ii  gnupg            2.2.27-2
ii  libapparmor1     3.0.3-2
ii  libc6            2.32-1
ii  libcap2          1:2.44-1
ii  libseccomp2      2.5.1-1
ii  libudev1         247.9-1
ii  openssh-client   1:8.4p1-6
ii  squashfs-tools   1:4.5-2
ii  systemd          247.9-1
ii  udev             247.9-1

Versions of packages snapd recommends:
ii  gnupg  2.2.27-2

Versions of packages snapd suggests:
ii  zenity  3.32.0-7

-- no debconf information

Bug#993783: snapd: AppArmor profile breaks snaps

Reply via email to