snapd

apparmor profiles do not load after reboot on Arch

Bug #1982701 reported by Ejebejtnsksnfn

This bug report will be marked for expiration in 14 days if no further activity occurs. (find out why)

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Incomplete
Undecided
Unassigned

Bug Description

I installed snap on Arch Linux and followed the Arch Wiki guide to set up AppArmor (https://wiki.archlinux.org/title/Snap) so that snaps would be contained.

However, snaps fail to launch.

[evan@evan-archlinux ~]$ hello-world
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1

By running aa-status, I can see that 52 profiles are loaded but none are about the hello-world snap.

[evan@evan-archlinux ~]$ sudo aa-status
[sudo] password for evan:
apparmor module is loaded.
52 profiles are loaded.
52 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   samba-bgqd
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

However, if I remove the hello-world snap and reinstall it, I can see that 57 apparmor profiles are loaded, including ones about the hello-world snap.

[evan@evan-archlinux ~]$ sudo aa-status
apparmor module is loaded.
57 profiles are loaded.
57 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   samba-bgqd
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   snap-update-ns.hello-world
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

The snap runs correctly now that it has an apparmor profile (and as a side note, I tested the hello-world.evil and the confinement did work correctly), but will no longer work after a reboot due to the profiles not loading correctly. By going to /var/lib/snapd/apparmor/profiles, I can see that the profiles are there but not getting loaded. This is not limited to hello-world, and affects all the snaps I have tried on this system (firefox, bitwarden, neovim).

Additonal info about system:

[evan@evan-archlinux ~]$ snap version
snap 2.56.3-1
snapd 2.56.3-1
series 16
arch -
kernel 5.18.14-arch1-1

Revision history for this message
Ejebejtnsksnfn (eheuebrbtjsjwbrbd) wrote :
Download full text (73.4 KiB)

I am also reinstalling Ubuntu very soon, so I'm going to try and give as much information as I can before doing so.

[evan@evan-archlinux ~]$ neofetch
OS: Arch Linux x86_64
Host: MS-7C56 2.0
Kernel: 5.18.14-arch1-1
Uptime: 38 mins
Packages: 668 (pacman), 15 (snap)
Shell: bash 5.1.16
Resolution: 1920x1080
DE: GNOME 42.3.1
WM: Mutter
WM Theme: Adwaita
Theme: adw-gtk3 [GTK2/3]
Icons: Adwaita [GTK2/3]
Terminal: gnome-terminal
CPU: AMD Ryzen 5 5600X (12) @ 3.700GHz
GPU: AMD ATI Radeon RX 6700/6700 XT/6750 XT / 6800M
Memory: 1462MiB / 15920MiB

[evan@evan-archlinux ~]$ snap list
Name Version Rev Tracking Publisher Notes
adw-gtk3-theme 1.0 1 latest/stable mj-keyle -
bare 1.0 5 latest/stable canonical✓ base
bitwarden 2022.6.2 72 latest/stable bitwarden✓ -
core 16-2.56.2 13425 latest/stable canonical✓ core
core18 20220706 2538 latest/stable canonical✓ base
core20 20220706 1581 latest/stable canonical✓ base
firefox 102.0.1-1 1551 latest/stable mozilla✓ -
gnome-3-28-1804 3.28.0-19-g98f9e67.98f9e67 161 latest/stable canonical✓ -
gnome-3-38-2004 0+git.891e5bc 112 latest/stable canonical✓ -
gtk-common-themes 0.1-81-g442e511 1535 latest/stable canonical✓ -
hello-world 6.4 29 latest/stable canonical✓ -
nvim v0.7.0 2181 latest/stable neovim-snap classic
snapd 2.56.2 16292 latest/stable canonical✓ snapd
snapd-desktop-integration 0.1 14 latest/stable canonical✓ -

[evan@evan-archlinux ~]$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: disabled)
     Active: active (exited) since Sun 2022-07-24 18:19:27 EDT; 42min ago
   Main PID: 1362 (code=exited, status=0/SUCCESS)
        CPU: 3.483s

Jul 24 18:19:26 evan-archlinux apparmor.systemd[1362]: Restarting AppArmor
Jul 24 18:19:26 evan-archlinux apparmor.systemd[1362]: Reloading AppArmor profiles
Jul 24 18:19:27 evan-archlinux systemd[1]: Finished Load AppArmor profiles.
Notice: journal has been rotated since unit was started, output may be incomplete.

[evan@evan-archlinux ~]$ systemctl status snapd
● snapd.service - Snap Daemon
     Loaded: loaded (/usr/lib/systemd/system/snapd.service; disabled; preset: disabled)
     Active: active (running) since Sun 2022-07-24 18:23:49 EDT; 39min ago
TriggeredBy: ● snapd.socket
   Main PID: 3687 (snapd)
      Tasks: 19 (limit: 19079)
     Memory: 79.9M
        CPU: 1.509s
     CGroup: /system.slice/snapd.service
             └─3687 /usr/lib/snapd/snapd

Jul 24 18:23:49 evan-archlinux snapd[3687]: overlord.go:268: Acquired state lock file
Jul 24 18:23:49...

Revision history for this message
Sergio Cazzolato (sergio-j-cazzolato) wrote :

Hi, have you enabled apparmor and snapd.apparmor services before or after install the hello-world snap?

Zygmunt Krynicki (zyga)
Changed in snapd:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.