Public bug reported: Hi,
The default AppArmor configuration in Ubuntu 25.10 deny an application packaged as a Snap classic from using fuse. I've originally discovered the issue with this application: https://snapcraft.io/parsec (This snap works fine on other distributions such as ArchLinux and PopOS24.04. Regarding Ubuntu, it has been around for some time: it worked without issue since Ubuntu 18.04 !) I also reproduced the issue with a minimal snap that only contains the memfs example from libfuse project: ``` $ git clone https://github.com/libfuse/libfuse.git $ cd libfuse && mkdir build && cd build && meson setup .. && meson compile # Compile libfuse & its examples $ cd ../.. $ mkdir snap $ echo " name: memfs-ll-classic base: core24 version: '1.0' summary: In-memory FUSE filesystem description: | A simple in-memory filesystem using FUSE low-level API. Based on the memfs_ll example from libfuse. grade: devel confinement: classic type: app apps: memfs-ll: command: bin/memfs_ll parts: memfs-ll: plugin: dump source: . organize: libfuse/build/example/memfs_ll: bin/memfs_ll stage: - bin/memfs_ll prime: - bin/memfs_ll " > snap/snapcraft.yaml $ snapcraft pack ``` Then: ``` $ sudo snap install --classic --dangerous memfs-ll-classic_1.0_amd64.snap ... $ memfs-ll-classic.memfs-ll ~/mnt ... fusermount3: file descriptor 3 is not a socket, can't send fuse fd ``` logs from journalctl: ``` Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.051:386): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=15270 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="snap.memfs-ll-classic.memfs-ll" Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.051:387): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=15270 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.052:388): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=15271 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="snap.memfs-ll-classic.memfs-ll" Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.052:389): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=15271 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 ``` I've attached memfs-ll-classic_1.0_amd64.snap if anyone want to test without having to rebuild the snap ;-) ProblemType: Bug DistroRelease: Ubuntu 25.10 Package: apparmor 5.0.0~alpha1-0ubuntu8.3 ProcVersionSignature: Ubuntu 6.17.0-8.8-generic 6.17.2 Uname: Linux 6.17.0-8-generic x86_64 ApportVersion: 2.33.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Mon Jan 26 14:57:12 2026 InstallationDate: Installed on 2026-01-23 (3 days ago) InstallationMedia: Ubuntu 25.10 "Questing Quokka" - Release amd64 (20251007) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.17.0-8-generic root=UUID=67913939-8885-40d3-bc46-40867a8dd20d ro debian-installer/custom-installation=/custom find_preseed=/preseed.cfg auto preseed/file=/floppy/preseed.cfg automatic-ubiquity noprompt priority=critical locale=en_US console-setup/modelcode=evdev crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: Confirmed ** Tags: amd64 apport-bug questing wayland-session ** Attachment added: "memfs-ll-classic_1.0_amd64.snap" https://bugs.launchpad.net/bugs/2139081/+attachment/5940969/+files/memfs-ll-classic_1.0_amd64.snap ** Description changed: Hi, The default AppArmor configuration in Ubuntu 25.10 deny an application packaged as a Snap classic from using fuse. I've originally discovered the issue with this application: https://snapcraft.io/parsec (This snap works fine on other distributions such as ArchLinux and PopOS24.04. Regarding Ubuntu, it has been around for some time: it worked without issue since Ubuntu 18.04 !) I also reproduced the issue with a minimal snap that only contains the memfs example from libfuse project: ``` $ git clone https://github.com/libfuse/libfuse.git $ cd libfuse && mkdir build && cd build && meson setup .. && meson compile # Compile libfuse & its examples $ cd ../.. $ mkdir snap $ echo " name: memfs-ll-classic base: core24 version: '1.0' summary: In-memory FUSE filesystem description: | - A simple in-memory filesystem using FUSE low-level API. - Based on the memfs_ll example from libfuse. + A simple in-memory filesystem using FUSE low-level API. + Based on the memfs_ll example from libfuse. grade: devel confinement: classic type: app apps: - memfs-ll: - command: bin/memfs_ll + memfs-ll: + command: bin/memfs_ll parts: - memfs-ll: - plugin: dump - source: . - organize: - libfuse/build/example/memfs_ll: bin/memfs_ll - stage: - - bin/memfs_ll - prime: - - bin/memfs_ll + memfs-ll: + plugin: dump + source: . + organize: + libfuse/build/example/memfs_ll: bin/memfs_ll + stage: + - bin/memfs_ll + prime: + - bin/memfs_ll " > snap/snapcraft.yaml $ snapcraft pack + ``` + Then: ``` $ sudo snap install --classic --dangerous memfs-ll-classic_1.0_amd64.snap ... $ memfs-ll-classic.memfs-ll ~/mnt ... fusermount3: file descriptor 3 is not a socket, can't send fuse fd ``` logs from journalctl: ``` Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.051:386): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=15270 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="snap.memfs-ll-classic.memfs-ll" Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.051:387): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=15270 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.052:388): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=15271 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="snap.memfs-ll-classic.memfs-ll" Jan 26 15:03:21 jbbmachine kernel: audit: type=1400 audit(1769436201.052:389): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=15271 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 ``` I've attached memfs-ll-classic_1.0_amd64.snap if anyone want to test without having to rebuild the snap ;-) ProblemType: Bug DistroRelease: Ubuntu 25.10 Package: apparmor 5.0.0~alpha1-0ubuntu8.3 ProcVersionSignature: Ubuntu 6.17.0-8.8-generic 6.17.2 Uname: Linux 6.17.0-8-generic x86_64 ApportVersion: 2.33.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Mon Jan 26 14:57:12 2026 InstallationDate: Installed on 2026-01-23 (3 days ago) InstallationMedia: Ubuntu 25.10 "Questing Quokka" - Release amd64 (20251007) ProcEnviron: - LANG=en_US.UTF-8 - PATH=(custom, no user) - SHELL=/bin/bash - TERM=xterm-256color - XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + PATH=(custom, no user) + SHELL=/bin/bash + TERM=xterm-256color + XDG_RUNTIME_DIR=<set> ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.17.0-8-generic root=UUID=67913939-8885-40d3-bc46-40867a8dd20d ro debian-installer/custom-installation=/custom find_preseed=/preseed.cfg auto preseed/file=/floppy/preseed.cfg automatic-ubiquity noprompt priority=critical locale=en_US console-setup/modelcode=evdev crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139081 Title: AppArmor prevent Snap classic (unconfined) from using fuse To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2139081/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
