I've installed updates after Nov., 27th 2025 then snap started to break. The
updated snaps won't start with "cannot set privileged capabilities: Operation
not permitted".
Snaps already running where fine. especially cups. After rebooting ALL snaps
did not run anymore with above error printed if started within a shell.
Since this was with 25.04 and these systems where due to be upgraded, I
thought it could be helpful to upgrade all systems from 25.04 to 25.10.
The mess got bigger: now I have around 10 systems not running snaps any
more.
On all of them:
- getcap reports for '/usr/lib/snapd/snap-confine':
/usr/lib/snapd/snap-confine
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,\
cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
as far as I could dig into this seems what is expected.
- '/usr/lib/snapd/snap-confine' is not set uid_root, owned by root,
executable by all users.
- '/etc/apparmor.d' does not hold any files '*.dpkg-dist' or '*.dpkg-
old'
Trying to run any snap, whatever it is, leads to "cannot set privileged
capabilities: Operation not permitted", regardless running as user, root
or using sudo for 25.04.
Switching debugging on gives for all snaps:
$ SNAPD_DEBUG=1 snap run firefox
2025/12/02 14:59:55.934022 tool_linux.go:94: DEBUG: snap (at
"/snap/snapd/current") is older ("2.72") than distribution package
("2.72+ubuntu25.10.2")
2025/12/02 14:59:55.937843 logger.go:289: DEBUG: -- snap startup
{"stage":"start", "time":"1764683995.937821"}
2025/12/02 14:59:55.938986 apparmor.go:945: DEBUG: checking distro
apparmor_parser at /usr/sbin/apparmor_parser
2025/12/02 14:59:55.939039 apparmor.go:954: DEBUG: apparmor 4.0 ABI detected
but ignored
2025/12/02 14:59:55.948060 cmd_run.go:1392: DEBUG: executing snap-confine from
/usr/lib/snapd/snap-confine
2025/12/02 14:59:55.950888 cmd_run.go:512: DEBUG: SELinux not enabled
2025/12/02 14:59:55.952014 tracking.go:48: DEBUG: creating transient scope
snap.firefox.firefox
2025/12/02 14:59:55.953940 tracking.go:217: DEBUG: using session bus
2025/12/02 14:59:55.956864 tracking.go:350: DEBUG: create transient scope job:
/org/freedesktop/systemd1/job/1873
2025/12/02 14:59:55.970453 tracking.go:450: DEBUG: job result is "done"
2025/12/02 14:59:55.970520 tracking.go:457: DEBUG: transient scope
snap.firefox.firefox-7c1224d3-a879-462f-9815-e3f380f3d5cd.scope created
2025/12/02 14:59:55.971135 tracking.go:153: DEBUG: waited 17.045623ms for
tracking
2025/12/02 14:59:55.971227 logger.go:289: DEBUG: -- snap startup {"stage":"snap
to snap-confine", "time":"1764683995.971220"}
DEBUG: -- snap startup {"stage":"snap-confine enter",
"time":"1764683995.975013"}
DEBUG: caps at startup: cap_wake_alarm=i
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_admin+p
DEBUG: ruid: 1000, euid: 1000, suid: 1000
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: initial caps: cap_wake_alarm=i
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_admin+p
cannot set privileged capabilities: Operation not permitted
Looking at apparmor logs shows nothing suspicious - no messages of
disallowed actions starting snaps. As does looking at
'/etc/apparmor.d/usr.lib.snapd.snap-confine.real'.
- after upgrading from 25.04 to 25.10 I could run snaps again as root or
using sudo.
I've decided to setup new virtual instances of
- 25.04
- 25.10
- 26.04
Then test, upgrade, then test again. Results:
- 25.04 new install works (snaps where newer, then snapd -- I'd say snaps
themselves are not the problem here) after upgrading snaps are not working any
more. As long as snaps where started at least once before upgrading, they ran
after upgrading -- until the next reboot. That stopped them.
- 25.10 new install works. After upgrading to latest pkgs snaps did not run any
more. Same as with 25.04: snaps started once before upgrading worked on after
upgrading until rebooting. That stopped them.
- 26.04 same here. Snaps work until the latest updates are applied.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2127224
Title:
all snaps fail to run
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2127224/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
