[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Kevin, this is a host configuration issue, snapd does not actively monitor that part of the system but at the same time, it is not something that is disabled by default. Whenever the kernel boots with apparmor enabled snapd requires apparmor profiles to be loaded. If this is not done so then it exits with a clear message about this. There are multiple reasons why profiles may not be loaded on a particular system so we cannot provide more advice. I did file https://bugs.launchpad.net/snapd/+bug/1806135 to track the dedicated issue of checking apparmor service is active (though it varies from OS to OS so it's not just that one service that needs to be verified). As such I am closing this instance of the problem (configuration on a specific host as invalid). I don't disagree about the desire to improve snapd to monitor apparmor services on the host but, as I explained above, this is tracked in the other bug. If you believe there is another issue at play then please do report it but reopening this bug is in my eyes, counterproductive. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Jon: snapd requires apparmor for essential confinement of untrusted applications. If you are using an apparmor-capable kernel and have not explicitly disabled apparmor on boot then apparmor requirement will be enforced. You can disable apparmor on boot with a kernel command line argument. Snapd respects that and disables apparmor enforcement. We want to avoid accidental misconfiguration to go unnoticed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
One reason why apparmor may need to be disabled: Issue: Apparmor prevents docker container stop from working - it blocks the signalling init process. From dmesg, we see [156522.040461] audit: type=1400 audit(1555422697.325:338): apparmor="DENIED" operation="signal" profile="docker-default" pid=19232 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="unconfined" We can shutdown apparmor for now (https://forums.docker.com/t/can-not-stop-docker-container-permission-denied-error/41142/7): Check status: sudo aa-status Shutdown and prevent it from restarting: sudo systemctl disable apparmor.service --now Unload AppArmor profiles: sudo service apparmor teardown Check status: sudo aa-status Some future fixes: https://github.com/moby/moby/issues/36809 ** Bug watch added: github.com/moby/moby/issues #36809 https://github.com/moby/moby/issues/36809 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Apparmor breaks kubernetes on my host. Why should I need apparmor to run snapd? That seems like a pretty significant bug/limitation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Sorry, I don't think that this is invalid. If snapd doesn't work because a service is required, then that is a bug for snapd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Woot! Thank you for confirming. I filed https://bugs.launchpad.net/snapd/+bug/1806135 to track the monitoring aspect. ** Changed in: snapd (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Thanks. That did the trick. It would be great if you could monitor needed services. As the years go by, some of my services are not up to date. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
It looks like your apparmor service is disabled. Can you run "systemctl enable --now apparmor.service", this should fix your system. You should be able to reboot and have applications working normally. Perhaps snapd should monitor the state of essential services like that and use the warning framework to warn the user about things being incorrect. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
$ snap version snap2.36.1 snapd 2.36.1 series 16 ubuntu 18.10 kernel 4.18.0-11-generic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
And /var/lib/snapd/apparmor/profiles/snap-confine.core.5897 ** Attachment added: "/var/lib/snapd/apparmor/profiles/snap-confine.core.5897" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+attachment/5217759/+files/snap-confine.core.5897 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Here's snap-confine.real ** Attachment added: "/etc/apparmor.d/usr.lib.snapd.snap-confine.real" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+attachment/5217758/+files/usr.lib.snapd.snap-confine.real -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
And pastebinit $ systemctl status apparmor.service | pastebinit http://paste.ubuntu.com/p/wdHFnkMgwk/ $ journalctl -u snapd.service | pastebinit http://paste.ubuntu.com/p/dmFzm2Hgnk/ $ journalctl -u apparmor.service | pastebinit http://paste.ubuntu.com/p/xyypwv7psK/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Can you attach both files please (as attachments or the comment section on launchpad might explode). In addition can you please offer some insight into your system? Could you run those commands please: snap version systemctl status apparmor.service journalctl -u snapd.service journalctl -u apparmor.service If you don't mind you can install "pastebinit" program (apt install pastebinit) and pipe each invocation into it: systemctl status apparmor.service | pastebinit journalctl -u snapd.service | pastebinit journalctl -u apparmor.service | pastebinit This can help me diagnose the problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Thanks. I'm still affected by this problem, after a reboot yesterday. Here's the output of the commands. $ ls -l /etc/apparmor.d/*snap-confine* -rw-r--r-- 1 root root 22234 Oct 15 13:23 /etc/apparmor.d/usr.lib.snapd.snap-confine.real $ ls -l /var/lib/snapd/apparmor/profiles/*snap-confine* -rw-r--r-- 1 root root 22551 Nov 21 13:28 /var/lib/snapd/apparmor/profiles/snap-confine.core.5897 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Hello. Are you still affected by this issue? Could you list some files for me please: ls -l /etc/apparmor.d/*snap-confine* ls -l /var/lib/snapd/apparmor/profiles/*snap-confine* ** Changed in: snapd (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
I'm having the same issue with spotify and tusk, installed via snap. The workaround suggested by nereocystis works, but it would be nice if it would not be necessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: snapd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
This command works, after getting rid of "-" in the previous command kevin@awabi:~$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap* -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Thanks. I still don't quite have the improved workaround working After: sudo apparmor_parser -r /etc/apparmor.d/*snap-confine* $ eclipse cannot change profile for the next exec call: No such file or directory The second command wasn't quite correct. I modified it, but still have a problem: $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-* kevin@awabi:~$ eclipse cannot change profile for the next exec call: No such file or directory -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
For the workaround, I forgot, you might also need to do: $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine* -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Assigning zyga just so he sees it. zyga, please unassign/reassign as you see fit. ** Changed in: snapd (Ubuntu) Assignee: (unassigned) => Zygmunt Krynicki (zyga) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803476] Re: After reboot, snap-confine has elevated permissions and is not confined but should be
Thank you for reporting this bug. FYI, the workaround need not be so drastic. You should be able to simply: $ sudo apparmor_parser -r /etc/apparmor.d/*snap-confine* -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803476 Title: After reboot, snap-confine has elevated permissions and is not confined but should be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs