snapd

Interface manager ought to monitor the status of apparmor.service and snapd.apparmor.service, warn if any is disabled or failed

Bug #1806135 reported by Zygmunt Krynicki on 2018-11-30

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	High	Unassigned

Bug Description

On some systems, snapd relies on apparmor.service and snapd.apparmor.service systemd units to load apparmor profiles on boot.
As we found in https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476 apparmor.service may be disabled for arbitrary reason, leading to hard-to-diagnose issues.
Also snapd.apparmor.service may be disabled for arbitrary reason, leading to hard-to-diagnose issues.
The interface manager's ensure method might ask systemd about the state of apparmor.service and snapd.apparmor.service.
If any such unit exists but is disabled or exited with failure, issue a warning about it to the user.

See original description

Tags:

Paweł Stołowski (stolowski) on 2018-12-07

Changed in snapd:
status:	New → Triaged

Revision history for this message

Kevin Dalley (nereocystis) wrote on 2018-12-14:

Great idea.

Thanks.

Revision history for this message

Cormac Long (clong150) wrote on 2019-04-16:

+1 point:
As I commented in https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1803476 (comment 21), AppArmor may be disabled for good reason - e.g. to allow various docker control commands to work.

Etienne URBAH (eurbah) on 2022-06-01

summary:

- Interface manager ought to monitor the status of apparmor.service, warn
- when disabled
+ Interface manager ought to monitor the status of apparmor.service and
+ snapd.apparmor.service, warn if any is disabled or failed

Etienne URBAH (eurbah) on 2022-06-01

description:

updated

Etienne URBAH (eurbah) on 2022-06-01

tags:

added: jammy

Revision history for this message

Etienne URBAH (eurbah) wrote on 2022-06-01:

With Ubuntu 22.04 (Jammy Jellyfish), the much used firefox software is now delivered as as snap.

On failure to start firefox, users must, when appropriate, receive a useful error message about apparmor or snapd.apparmor instead of the obscure :

cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1

So, can you bump the importance of this issue ?

Alberto Mardegan (mardy) on 2022-06-02

Changed in snapd:
importance:	Wishlist → Medium
importance:	Medium → High

Revision history for this message

Alberto Mardegan (mardy) wrote on 2022-06-02:

Hi Etienne, I've raised the urgency to "high" only, because it's not clear how many people are affected (I myself am not aware of similar issues either than yours). Though indeed we are aware that such a situation can happen.

A note that might be useful for us working on this bugfix: when the snapd.apparmor service does not start, one can see either the message

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1

depending on whether the profile of snap-confine was loaded or not, and this on turn depends on whether snapd is run as a deb package or a snap, respectively.

Revision history for this message

Nicolás Barnafi (santral) wrote on 2023-09-20:

Hi all,

Not sure if I saw it in the other bug reports, but I have a similar issue after booting. I can't launch Firefox unless I run

sudo systemctl start snapd.apparmor

The workaround is simple, but it can be hard to catch, as running Firefox from a GUI just silently doesn't open.

Let me know if I can provide further details to help.

Best

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.