snap-confine has elevated permissions and is not confined but should be

Bug #1732409 reported by David
32
This bug affects 7 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Running snapd on PureOS 8.0 (rolling release ~= Debian main testing). A recent update:
* upgraded to Linux kernel 4.13
* enabled AppArmor

Since then I can no longer `snap run packagename`. I get the following error:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

This has been reported on other non-Ubuntu distros:

* https://askubuntu.com/questions/888497
* https://unix.stackexchange.com/questions/379421

Could this be related to https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1682023 ?

Please advise if this should be addressed downstream.

David (lofidevops)
description: updated
description: updated
description: updated
Revision history for this message
David (lofidevops) wrote :
Revision history for this message
David (lofidevops) wrote :

I did the following and I get the same error:

    $ sudo apt purge snapd snap-confine && sudo apt install -y snapd
    $ sudo snap install pycharm-community --classic
    $ snap run pycharm-community
    snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

From `sudo aa-status | grep snap`:

    /usr/lib/snapd/snap-confine
    /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

Workaround:

* Navigate to /snap/APPNAME/current/
* Find launch binary
* Run the launch binary

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This issue is related to the fact that debian has recently enabled apparmor by default. https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813

We are working on resolving the situation.

Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Packages; one thing you should do (or derive from Debian once the next release is ready) is to stop passing `--disable-apparmor` to configure. This coupled with a patch to snapd (which is still in progress) should be sufficient for solving the problem.

Revision history for this message
David (lofidevops) wrote :

I am now able to execute "snap run pycharm-community" without a workaround. Running:

snap 2.31.1
snapd 2.31.1
series 16
pureos 8.0
kernel 4.14.0-3-amd64

Changed in snapd (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.