[Bug 2139664] Re: snap service cannot change apparmor hat

Ernest Lotter Fri, 06 Feb 2026 02:46:34 -0800

Snapd perspective:
==================

Investigation: https://warthogs.atlassian.net/browse/SNAPDENG-36362


Snapd reload of the snap-confine profile (backend.go) happens in
parallel to the service initiated snap-confine trying to switch to a
child profile.


apparmar -> snapd.apparmor -> snapd backend.go (reloads profile: p-v1 to p-v2)
                          |-> snap.docker.nvidia-container-toolkit.service -> 
snap-confine -> aa_change_hat(p-v1)


This can also be seen in the log :
-------------------------------------------------

Feb 04 18:21:38 ubuntu-Default-string systemd[1]: Starting
snapd.apparmor.service - Load AppArmor profiles managed internally by
snapd...

Feb 04 18:21:38 ubuntu-Default-string snapd-apparmor[1077]: main.go:146:
Loading profiles ... snap-confine.snapd.25577 ... snap-
confine.snapd.25935 ...

...

Feb 04 18:21:39 ubuntu-Default-string systemd[1]: Finished
snapd.apparmor.service - Load AppArmor profiles managed internally by
snapd.

...

Feb 04 18:21:43 ubuntu-Default-string snapd[1267]: backend.go:145:
reloading profiles for snap-confine

...

Feb 04 18:21:43 ubuntu-Default-string kernel: audit: type=1400
audit(1770200503.714:210): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=1652
comm="apparmor_parser"

Feb 04 18:21:43 ubuntu-Default-string docker.nvidia-container-
toolkit[1768]: cannot change apparmor hat: No child processes  <====
Tries to load HAT in middle of profile replacement

Feb 04 18:21:43 ubuntu-Default-string kernel: audit: type=1400 
audit(1770200503.718:211): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" 
name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1652 
comm="apparmor_parser"
-------------------------------------------------

This issue is not a regression:
--------------------------------------------
Both the AppArmor race and the snapd reloading of profiles is not new. The fact 
that it was picked up in Resolute is attributed to subtle timing changes around 
the race.

Workaround:
--------------------
We are working to remove the snap-confine child profile because its not 
required.
This workaround will NOT be available for snapd 2.74.1

Fix:
-----
Requires apparmor fix: https://gitlab.com/apparmor/apparmor/-/issues/589

** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #589
   https://gitlab.com/apparmor/apparmor/-/issues/589

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2139664

Title:
  snap service cannot change apparmor hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2139664/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2139664] Re: snap service cannot change apparmor hat

Reply via email to