aa-genprof: FileNotFoundError: apparmor.get_full_path(profiling)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
Apologies for the lengthy bug report as I do not have sufficient knowledge to how AppArmor and Snap-Store works to be able to provide specific evidence of actions and outcomes. However, I am happy to see I am not the only one on the internet who struggles with AppArmor and the usability behind it.
NOTE: For some reason attachments does not work so the bottom have the content of the TXT log file.
=====EXPERIENCE
-Stage 1-
As a new user to Ubuntu who just migrated from Windows 7,
the user installed Freemind using Snap-Store,
but every time the user tried to open a Freemind mindmap that is on in the ./media/
"cmd_run.go:884: WARNING: cannot create user data directory: cannot create "/home/
cannot read mount namespace identifier of pid 1: Permission denied".
-Stage 2-
After executing "sudo aa-logprof" as internet search results pointed towards AppArmor,
the Snap-Store GUI stopped working. The user just selected (I) or (A)llow for everything that returned.
There might have been a chance that "sudo aa-genprof freemind" was executed before this.
-Stage 3-
When executing "snap-store" or "freemind" from terminal the following error message is displayed:
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 4-
The user opened "Software" (Location: /usr/share/
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 5-
Further research on the internet someone mentioned on a forum that this kind of behaviour is possibly due to using the "Software" application to install "Snap-Store" and not "Snapd".
-Stage 6-
Then executed "sudo snap remove snap-store" and "sudo snap remove freemind".
Then executed "sudo snap install snap-store" and "sudo snap install freemind".
The install completed successfully.
-Stage 7-
When executing "sudo aa-genprof snap-store", no new events are found during the (S)can system log, so the user can only (F)inish.
-Stage 8-
This is when the user assumed since the error was "snapd" that the issue will be resolved by executing "sudo aa-genprof snapd". This then displayed the content stated in the attached file and instructions.
-Stage 9-
When executing "sudo aa-genprof snapd" again the following error message is displayed:
"ERROR: Can't find snapd in the system path list. If the name of the application
is correct, please run 'which snapd' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter."
-Stage 10-
When executing "which snapd" no results are returned.
=====EXPECTATIO
1. "Snap-Store" should have better permission options available. "Snap-Store" has 5 permissions where "Freemind" only had 2 permissions. General apps that allow users to CRUD files should include accessing removable media permission options.
2. AppArmor should have a better approach for users, especially new users, to troubleshoot and configuring permissions.
3. Permission error messages related to AppArmor must be more specific and user friendly to improve the communication and troubleshooting between users and the community. The error codes was not found using Google.
4. There really MUST be an easier way to move an application/
=====SYSTEM CONFIGURATION=====
Operating System: Kubuntu 19.10
KDE Plasma Version: 5.16.5
KDE Frameworks Version: 5.62.0
Qt Version: 5.12.4
Kernel Version: 5.3.0-26-generic
OS Type: 64-bit
Processors: 4 × Intel® Core™ i3 CPU M 350 @ 2.27GHz
Memory: 7,6 GiB of RAM
=====APPARMOR PROFILES CONFIGURATION=====
apparmor module is loaded.
80 profiles are loaded.
59 profiles are in enforce mode.
/home/
/sbin/dhclient
/snap
/snap/
/snap/
/snap/
/usr/bin/evince
/usr/
/usr/
/usr/
/usr/
/usr/bin/man
/usr/bin/snap
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
chromium_
chromium_
chromium_
libreoffice-
libreoffice-
libreoffice-
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_
snap-
snap-
snap-
snap-
snap-
snap-
snap-
snap-
snap.
snap.
snap.
snap.
snap.
snap.
snap.
snap.
snap.
snap.
21 profiles are in complain mode.
/usr/
/usr/
avahi-daemon
chromium_browser
chromium_
chromium_
chromium_
identd
klogd
libreoffice-
libreoffice-
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
4 processes are in enforce mode.
/usr/
/usr/sbin/cupsd (606)
/usr/
/usr/sbin/mysqld (1806) /usr/sbin/
2 processes are in complain mode.
/usr/
/usr/
0 processes are unconfined but have a profile defined.
=====CONTENT OF TXT FILE LOGGED=====
<pre>Traceback (most recent call last):
File "/usr/sbin/
program = apparmor.
File "/usr/lib/
path = os.getcwd() + '/' + path
FileNotFoundError: [Errno 2] No such file or directory
</pre>
Please consider reporting a bug at https:/
and attach this file.
Hello Nicolaas,
I'm sorry for the frustrations.
Snap manages its permissions entirely on its own. Its profiles are not meant to be adapted by hand with aa-logprof or a text editor.
See: /snapcraft. io/docs/ interface- management /snapcraft. io/docs/ supported- interfaces
https:/
for a high-level overview of how this works, and:
https:/
for a (possibly non-exhaustive) list of interfaces that packagers can use and roughly what those interfaces mean.
Probably there's a way to allow access to the files that you want with the snap package that you have, via "snap connect".
For your immediate problem, I suggest posting something very similar to this bug report into the snapcraft forums: https:/ /forum. snapcraft. io/categories Hopefully someone there will have better advice on the correct path forward.
Thanks