Snapcraft

Bug #1982401
Comment #4

Comment 4 for bug 1982401

Revision history for this message

Paul Eggert (eggert-cs) wrote on 2022-08-01:

After reproducing the bug, here's the journalctl -t audit output:

Aug 01 08:33:56 day audit[4553]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/eggert/.bashrc" pid=4553 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

One more thing. The first time I tried to reproduce the bug (soon after logging in) the symptoms were different and unusual:

$ chromium --version
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.utf8)
/bin/bash: /home/eggert/.bashrc: Permission denied
Chromium 103.0.5060.134 snap

I think the journalctl lines for this uncommon failure were as follows:

Aug 01 08:28:57 day audit[3504]: AVC apparmor="DENIED" operation="capable" profile="/snap/core/13425/usr/lib/snapd/snap-confine" pid=3504 comm="snap-confine" capability=4 capname="fsetid"
Aug 01 08:28:57 day audit[3529]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/libreoffice/help/" pid=3529 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Aug 01 08:28:57 day audit[3529]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/var/lib/" pid=3529 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 01 08:28:57 day audit[3504]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/eggert/.bashrc" pid=3504 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Aug 01 08:28:57 day audit[3504]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=? pid=3504 comm="firefox" exe="/snap/firefox/1589/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f6727ffc73d code=0x50000

Although I was running Firefox at the time, I had launched Firefox from the desktop, not from that terminal session.

After reproducing the bug, here's the journalctl -t audit output:

One more thing. The first time I tried to reproduce the bug (soon after logging in) the symptoms were different and unusual:

I think the journalctl lines for this uncommon failure were as follows:

Aug 01 08:28:57 day audit[3504]: AVC apparmor="DENIED" operation="capable" profile="/snap/core/13425/usr/lib/snapd/snap-confine" pid=3504 comm="snap-confine" capability=4  capname="fsetid"
Aug 01 08:28:57 day audit[3529]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/libreoffice/help/" pid=3529 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Aug 01 08:28:57 day audit[3529]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/var/lib/" pid=3529 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 01 08:28:57 day audit[3504]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/eggert/.bashrc" pid=3504 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Aug 01 08:28:57 day audit[3504]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=? pid=3504 comm="firefox" exe="/snap/firefox/1589/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=314 compat=0 ip=0x7f6727ffc73d code=0x50000

Although I was running Firefox at the time, I had launched Firefox from the desktop, not from that terminal session.