Same issue for me. Ubuntu 22.04 on lenovo laptop. Pretty stock ubuntu.
After debugging for a while, i decideded to do a dist upgrade, so now
its 24.04 but same issue.
```
% snap --version
snap 2.71+ubuntu24.04
snapd 2.71+ubuntu24.04
series 16
ubuntu 24.04
kernel 6.14.0-1013-oem
```
```
% getcap /usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
```
```
% SNAPD_DEBUG=1 snap run hello
2025/10/16 18:41:44.705536 tool_linux.go:94: DEBUG: snap (at
"/snap/snapd/current") is older ("2.71") than distribution package
("2.71+ubuntu24.04")
2025/10/16 18:41:44.706189 logger.go:289: DEBUG: -- snap startup
{"stage":"start", "time":"1760632904.706187"}
2025/10/16 18:41:44.706824 apparmor.go:945: DEBUG: checking distro
apparmor_parser at /usr/sbin/apparmor_parser
2025/10/16 18:41:44.706845 apparmor.go:954: DEBUG: apparmor 4.0 ABI detected
but ignored
2025/10/16 18:41:44.710484 cmd_run.go:1390: DEBUG: executing snap-confine from
/usr/lib/snapd/snap-confine
2025/10/16 18:41:44.711615 cmd_run.go:512: DEBUG: SELinux not enabled
2025/10/16 18:41:44.712094 tracking.go:48: DEBUG: creating transient scope
snap.hello.hello
2025/10/16 18:41:44.713025 tracking.go:217: DEBUG: using session bus
2025/10/16 18:41:44.714480 tracking.go:350: DEBUG: create transient scope job:
/org/freedesktop/systemd1/job/1046
2025/10/16 18:41:44.731572 tracking.go:450: DEBUG: job result is "done"
2025/10/16 18:41:44.731589 tracking.go:457: DEBUG: transient scope
snap.hello.hello-11a4abf6-c9ef-4615-83e4-cde39cd5561f.scope created
2025/10/16 18:41:44.731897 tracking.go:153: DEBUG: waited 18.761351ms for
tracking
2025/10/16 18:41:44.731926 logger.go:289: DEBUG: -- snap startup {"stage":"snap
to snap-confine", "time":"1760632904.731923"}
DEBUG: -- snap startup {"stage":"snap-confine enter",
"time":"1760632904.734016"}
DEBUG: caps at startup:
cap_chown,cap_dac_override,cap_dac_read_search,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
DEBUG: ruid: 1000, euid: 1000, suid: 1000
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: initial caps:
cap_chown,cap_dac_override,cap_dac_read_search,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
cannot set capabilities: Operation not permitted
```
```
% sudo dmesg | grep DENIED
<nothing>
```
Also i've tried setting the snap apparmor profile in complain mode.
Didnt change anything.
I tried strace'ing. Heres non-root strace:
```
% strace -f -o /tmp/snap.trace -e capset,execve snap run hello ; grep -E
'execve|capset' /tmp/snap.trace
cannot set capabilities: Operation not permitted
40147 execve("/usr/bin/snap", ["snap", "run", "hello"], 0x7ffc41ae6378 /* 65
vars */) = 0
40157 execve("/usr/lib/snapd/snap-seccomp", ["/usr/lib/snapd/snap-seccomp",
"version-info"], 0xc000458b48 /* 65 vars */) = 0
40155 execve("/usr/lib/snapd/snap-confine", ["/usr/lib/snapd/snap-confine",
"--base", "core20", "snap.hello.hello", "/usr/lib/snapd/snap-exec",
"hello.hello"], 0xc0001c6b08 /* 81 vars */ <unfinished ...>
40147 +++ superseded by execve in pid 40155 +++
40147 <... execve resumed>) = 0
40147 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0},
{effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_ADMIN,
permitted=0, inheritable=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_SYS_ADMIN}) =
-1 EPERM (Operation not permitted)
```
I notice that permitted=0. Im very new to caps, but the interwebs & ai has let
me to beleive that you cannot have "effective" set to what is not already in
"permitted". And if permitted is zero, then thatll never work. But i dont know
if this is a sideeffect of being executed through strace.
anyway, the docs say "EPERM: An attempt was made to add a capability to the
permitted set, or to set a capability in the effective set that is not in the
permitted set.". (https://man7.org/linux/man-pages/man2/capget.2.html)
trying again as root:
```
strace -f -o /tmp/snap.trace -e capset,execve snap run hello ; grep -E
'execve|capset' /tmp/snap.trace
cannot set capabilities: Operation not permitted
39862 execve("/usr/bin/snap", ["snap", "run", "hello"], 0x7ffc7d5c1858 /* 18
vars */) = 0
39881 execve("/usr/lib/snapd/snap-seccomp", ["/usr/lib/snapd/snap-seccomp",
"version-info"], 0xc0001e3720 /* 18 vars */) = 0
39889 execve("/usr/lib/snapd/snap-confine", ["/usr/lib/snapd/snap-confine",
"--base", "core20", "snap.hello.hello", "/usr/lib/snapd/snap-exec",
"hello.hello"], 0xc0005445a0 /* 35 vars */ <unfinished ...>
39862 +++ superseded by execve in pid 39889 +++
39862 <... execve resumed>) = 0
39862 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0},
{effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_ADMIN|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_ADMIN|1<<CAP_SYS_RESOURCE|1<<CAP_PERFMON|1<<CAP_BPF,
permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_ADMIN|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_ADMIN|1<<CAP_SYS_RESOURCE|1<<CAP_PERFMON|1<<CAP_BPF,
inheritable=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_SYS_ADMIN}) = -1 EPERM
(Operation not permitted)
```
This time `permitted` is not zero, but effective is trying to set
CAP_FOWNER, which is not in the `permitted` set. But again. Im not sure
if strace is affecting the CAPs being set somehow. And this might be a
wild goose-chase .
Oh, and since Maciej Borzecki isnt having the issue in a VM, i wonder if the
issue only affects Secure Boot devices, with their extra lockdown restrictions.
Afaik, secure boot isnt on by default for vm's.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2127224
Title:
all snaps fail to run
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2127224/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
