Public bug reported:
Release:22.04
Ubuntu 22.04.4 LTS
snapd 2.63+22.04
apparmor 3.0.4-2ubuntu2.3
Not start application Software Center, Firefox maybe more applications, which
installed via snap.
Error:
“snap-confine has elevated permissions and is not confined but should
be. Refusing to continue to avoid permission escalation attacks. Please
make sure that the snapd.apparmor service is enabled and started”
snapd.service - Snap Daemon
Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset:
enabled)
Active: active (running) since Wed 2024-07-03 18:07:28 EEST; 1min 35s ago
TriggeredBy: ● snapd.socket
Main PID: 72129 (snapd)
Tasks: 10 (limit: 4570)
Memory: 13.0M
CPU: 911ms
CGroup: /system.slice/snapd.service
└─72129 /usr/lib/snapd/snapd
лип 03 18:07:27 test-HVM-domU systemd[1]: Starting Snap Daemon...
лип 03 18:07:27 test-HVM-domU snapd[72129]: overlord.go:271: Acquiring state
lock file
лип 03 18:07:27 test-HVM-domU snapd[72129]: overlord.go:276: Acquired state
lock file
лип 03 18:07:27 test-HVM-domU snapd[72129]: daemon.go:247: started
snapd/2.63+22.04 (series 16; classic) ubuntu/22.04 (amd64)
linux/6.5.0-41-generic.
лип 03 18:07:27 test-HVM-domU snapd[72129]: daemon.go:340: adjusting startup
timeout by 1m20s (pessimistic estimate of 30s plus 5s per snap)
лип 03 18:07:27 test-HVM-domU snapd[72129]: backends.go:58: AppArmor status:
apparmor is enabled and all features are available
лип 03 18:07:28 test-HVM-domU systemd[1]: Started Snap Daemon.
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled;
vendor preset: enabled)
Active: active (exited) since Wed 2024-07-03 18:07:29 EEST; 2min 38s ago
Process: 72248 ExecStart=/usr/lib/snapd/snapd-apparmor start (code=exited,
status=0/SUCCESS)
Main PID: 72248 (code=exited, status=0/SUCCESS)
CPU: 133ms
лип 03 18:07:28 test-HVM-domU systemd[1]: Starting Load AppArmor profiles
managed internally by snapd...
лип 03 18:07:28 test-HVM-domU snapd-apparmor[72248]: main.go:124: Loading
profiles [/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19457
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.21759
/var/lib/snapd/apparmor/profiles/snap-update-ns.firefox
/var/lib/snapd/apparmor/profiles/snap-update-ns.snap-store
/var/lib/snapd/apparmor/profiles/snap-update-ns.snapd-desktop-integration
/var/lib/snapd/apparmor/profiles/snap.firefox.firefox
/var/lib/snapd/apparmor/profiles/snap.firefox.geckodriver
/var/lib/snapd/apparmor/profiles/snap.firefox.hook.configure
/var/lib/snapd/apparmor/profiles/snap.firefox.hook.connect-plug-host-hunspell
/var/lib/snapd/apparmor/profiles/snap.firefox.hook.disconnect-plug-host-hunspell
/var/lib/snapd/apparmor/profiles/snap.firefox.hook.post-refresh
/var/lib/snapd/apparmor/profiles/snap.snap-store.hook.configure
/var/lib/snapd/apparmor/profiles/snap.snap-store.snap-store
/var/lib/snapd/apparmor/profiles/snap.snap-store.ubuntu-software
/var/lib/snapd/apparmor/profiles/snap.snap-store.ubuntu-software-local-file
/var/lib/snapd/apparmor/profiles/snap.snapd-desktop-integration.hook.configure
/var/lib/snapd/apparmor/profiles/snap.snapd-desktop-integration.snapd-desktop-integration]
лип 03 18:07:29 test-HVM-domU systemd[1]: Finished Load AppArmor profiles
managed internally by snapd.
apparmor_status
apparmor module is loaded.
58 profiles are loaded.
32 profiles are in enforce mode.
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/snapd/19457/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/21759/usr/lib/snapd/snap-confine
/snap/snapd/21759/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/sbin/chronyd
snap-update-ns.firefox
snap-update-ns.snap-store
snap-update-ns.snapd-desktop-integration
snap.firefox.firefox
snap.firefox.geckodriver
snap.firefox.hook.configure
snap.firefox.hook.connect-plug-host-hunspell
snap.firefox.hook.disconnect-plug-host-hunspell
snap.firefox.hook.post-refresh
snap.snap-store.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.snapd-desktop-integration.hook.configure
snap.snapd-desktop-integration.snapd-desktop-integration
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
26 profiles are in complain mode.
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/{,usr/}sbin/dhclient
libreoffice-oosplash
libreoffice-senddoc
libreoffice-soffice
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
rsyslogd
tcpdump
0 profiles are in kill mode.
0 profiles are in unconfined mode.
5 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/chronyd (596)
/usr/sbin/chronyd (599)
3 processes are in complain mode.
/usr/sbin/cups-browsed (686)
/usr/sbin/cupsd (565)
/usr/sbin/rsyslogd (486) rsyslogd
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
No logs in audit.log
If I downgrade the snapd to version 2.58+22.04.1. Works fine.
audit.log
type=AVC msg=audit(1720019115.699:1367): apparmor="DENIED" operation="capable"
class="cap" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" pid=70871
comm="snap-confine" capability=12 capname="net_admin"
type=AVC msg=audit(1720019115.699:1367): apparmor="DENIED" operation="capable"
class="cap" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" pid=70871
comm="snap-confine" capability=38 capname="perfmon"
type=BPF msg=audit(1720019115.699:1367): prog-id=362 op=LOAD
type=SYSCALL msg=audit(1720019115.699:1367): arch=c000003e syscall=321
success=yes exit=9 a0=5 a1=7ffc34053090 a2=80 a3=1000 items=0 ppid=70714
pid=70871 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000
fsgid=1000 tty=pts0 ses=3 comm="snap-confine"
exe="/snap/snapd/21759/usr/lib/snapd/snap-confine"
subj=/snap/snapd/21759/usr/lib/snapd/snap-confine key=(null)ARCH=x86_64
SYSCALL=bpf AUID="test" UID="test" GID="test" EUID="root" SUID="root"
FSUID="root" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1720019115.699:1367):
proctitle=2F736E61702F736E6170642F32313735392F7573722F6C69622F736E6170642F736E61702D636F6E66696E65002D2D6261736500636F7265323200736E61702E66697265666F782E66697265666F78002F7573722F6C69622F736E6170642F736E61702D657865630066697265666F78
type=BPF msg=audit(1720019116.891:1368): prog-id=363 op=LOAD
type=BPF msg=audit(1720019116.895:1369): prog-id=364 op=LOAD
type=BPF msg=audit(1720019116.895:1370): prog-id=365 op=LOAD
type=SERVICE_START msg=audit(1720019117.031:1371): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'UID="root" AUID="unset"
type=USER_AVC msg=audit(1720019117.179:1372): pid=475 uid=102 auid=4294967295
ses=4294967295 subj=unconfined msg='apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/timedate1"
interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send"
name=":1.150" pid=70871 label="snap.firefox.firefox" peer_pid=71030
peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=?
terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
type=USER_AVC msg=audit(1720019117.183:1373): pid=475 uid=102 auid=4294967295
ses=4294967295 subj=unconfined msg='apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/timedate1"
interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send"
name=":1.150" pid=70871 label="snap.firefox.firefox" peer_pid=71030
peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=?
terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
type=BPF msg=audit(1720019127.024:1374): prog-id=362 op=UNLOAD
Workaround:
Read AppArmor profile manually using these commands but it is working till
reboot:
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
** Affects: snapd (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- snapd with apparmor applications not start >2.58+22.04.1
+ snapd with apparmor enforced, snap applications not start >2.58+22.04.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2071834
Title:
snapd with apparmor enforced, snap applications not start
>2.58+22.04.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2071834/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
