snapd

Bug #1620771
Comment #59

Comment 59 for bug 1620771

Revision history for this message

reetp (jcrisp) wrote on 2022-04-20:

#59

> Hi reetp, I'm specifically addressing you because your use-case is exactly the case that I'm attempting to support in the "phase 1" of removing this annoying limitation

Hi, and thanks for looking!

Let me try it. I need to reinstall snapd.....done.

Xenial, all packages updated.

ii snapd 2.54.3+18.04.2ubuntu0.2 amd64 Daemon and tooling that enable snap packages

Note I already had this which was a fail.

cat /etc/apparmor.d/tunables/home.d/ubuntu

(This is the file auto created with dpkg-reconfigre apparmor)

# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}. See tunables/home for details.
@{HOMEDIRS}+=/home/e-smith/files/users/

-------------------------------------------------------

Just to precis #6 and #7
https://bugs.launchpad.net/snappy/+bug/1620771/comments/6

Feel free to do one of:
$ sudo dpkg-reconfigure apparmor

Or drop a file into /etc/apparmor.d/tunables/home.d that has:
@{HOMEDIRS}+=/some/nonstandard/home/users/

I forgot to mention you'll need to reload the policy after doing this. So after adjust the HOMEDIRS apparmor variable as stated in comment #6, I suggest:

$ sudo rm -f /etc/apparmor.d/cache/* /var/cache/apparmor/snap.*
$ sudo reboot

(there are other ways to do this without a reboot, but this should work regardless of what apparmor policy you have already generated)

-------------------------------------------------------

So I set the apparmor as above. Cleared the caches and rebooted.

john@xubuntu:~$ sudo snap install hello-world
hello-world 6.4 from Canonical✓ installed

john@xubuntu:~$ hello-world
cannot create user data directory: /home/e-smith/files/users/john/snap/hello-world/29: Permission denied

john@xubuntu:~$ sudo hello-world
Hello World!

john@xubuntu:~$ hello-world
cannot create user data directory: /home/e-smith/files/users/john/snap/hello-world/29: Permission denied

And then installed snap-store as well but can't run it as a user:

john@xubuntu:~$ snap-store
cannot create user data directory: /home/e-smith/files/users/john/snap/snap-store/558: Permission denied

john@xubuntu-8300-1:~$ ll /home/e-smith/files/users/john/snap/
total 16
drwx------ 4 john john 4096 Apr 20 17:14 ./
drwx------ 108 john john 4096 Apr 20 17:06 ../
drwxr-xr-x 4 john john 4096 Apr 20 17:00 hello-world/
drwxr-xr-x 4 john john 4096 Apr 20 17:14 snap-store/
john@xubuntu-8300-1:~$ ll /home/e-smith/files/users/john/snap/snap-store
total 16
drwxr-xr-x 4 john john 4096 Apr 20 17:14 ./
drwx------ 4 john john 4096 Apr 20 17:14 ../
drwxr-xr-x 2 john john 4096 Apr 20 17:14 558/
drwxr-xr-x 2 john john 4096 Apr 20 17:14 common/
lrwxrwxrwx 1 john john 3 Apr 20 17:14 current -> 558/

journalctl -xe

-- Subject: Unit UNIT has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit UNIT has failed.
--
-- The result is RESULT.
Apr 20 18:21:12 xubuntu systemd[3772]: snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope: Failed to add PIDs to scope's control group: Permission denied
Apr 20 18:21:12 xubuntu systemd[3772]: snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope: Failed with result 'resources'.
Apr 20 18:21:12 xubuntu systemd[3772]: Failed to start snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope.
-- Subject: Unit UNIT has failed

syslog

Apr 20 18:27:40 xubuntu-8300-1 systemd[3772]: snap.hello-world.hello-world.2f6ed7d4-34e8-41d1-acc5-c4f7d64f2fa1.scope: Failed to add PIDs to scope's control group: Permission denied
Apr 20 18:27:40 xubuntu-8300-1 systemd[3772]: snap.hello-world.hello-world.2f6ed7d4-34e8-41d1-acc5-c4f7d64f2fa1.scope: Failed with result 'resources'.
Apr 20 18:27:40 xubuntu-8300-1 systemd[3772]: Failed to start snap.hello-world.hello-world.2f6ed7d4-34e8-41d1-acc5-c4f7d64f2fa1.scope.
Apr 20 18:27:40 xubuntu-8300-1 kernel: [ 3337.306515] audit: type=1400 audit(1650472060.581:77): apparmor="DENIED" operation="open" profile="/snap/core/12834/usr/lib/snapd/snap-confine" name="/home/e-smith/files/" pid=4185 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=5001 ouid=0

Why this? name="/home/e-smith/files/" and not "/home/e-smith/files/users/" ?

One thing to note is on this box I use SSSD logins for authentication. However, it doesn't appear to show any errors, and others without that type of login/authent still have the same issue.

Let me know if you want further information/tests. Happy to try and debug it.

> Hi reetp, I'm specifically addressing you because your use-case is exactly the case that I'm attempting to support in the "phase 1" of removing this annoying limitation

Hi, and thanks for looking!

Let me try it. I need to reinstall snapd.....done.

Xenial, all packages updated.

ii  snapd 2.54.3+18.04.2ubuntu0.2  amd64   Daemon and tooling that enable snap packages

Note I already had this which was a fail.

cat /etc/apparmor.d/tunables/home.d/ubuntu

(This is the file auto created with dpkg-reconfigre apparmor)

# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
@{HOMEDIRS}+=/home/e-smith/files/users/

-------------------------------------------------------

Just to precis #6 and #7
https://bugs.launchpad.net/snappy/+bug/1620771/comments/6

Feel free to do one of:
$ sudo dpkg-reconfigure apparmor

Or drop a file into /etc/apparmor.d/tunables/home.d that has:
@{HOMEDIRS}+=/some/nonstandard/home/users/

I forgot to mention you'll need to reload the policy after doing this. So after adjust the HOMEDIRS apparmor variable as stated in comment #6, I suggest:

$ sudo rm -f /etc/apparmor.d/cache/* /var/cache/apparmor/snap.*
$ sudo reboot

(there are other ways to do this without a reboot, but this should work regardless of what apparmor policy you have already generated)

-------------------------------------------------------

So I set the apparmor as above. Cleared the caches and rebooted.

john@xubuntu:~$ sudo snap install hello-world
hello-world 6.4 from Canonical✓ installed

john@xubuntu:~$ hello-world
cannot create user data directory: /home/e-smith/files/users/john/snap/hello-world/29: Permission denied

john@xubuntu:~$ sudo hello-world
Hello World!

john@xubuntu:~$ hello-world
cannot create user data directory: /home/e-smith/files/users/john/snap/hello-world/29: Permission denied

And then installed snap-store as well but can't run it as a user:

john@xubuntu:~$ snap-store
cannot create user data directory: /home/e-smith/files/users/john/snap/snap-store/558: Permission denied

john@xubuntu-8300-1:~$ ll /home/e-smith/files/users/john/snap/
total 16
drwx------   4 john john 4096 Apr 20 17:14 ./
drwx------ 108 john john 4096 Apr 20 17:06 ../
drwxr-xr-x   4 john john 4096 Apr 20 17:00 hello-world/
drwxr-xr-x   4 john john 4096 Apr 20 17:14 snap-store/
john@xubuntu-8300-1:~$ ll /home/e-smith/files/users/john/snap/snap-store
total 16
drwxr-xr-x 4 john john 4096 Apr 20 17:14 ./
drwx------ 4 john john 4096 Apr 20 17:14 ../
drwxr-xr-x 2 john john 4096 Apr 20 17:14 558/
drwxr-xr-x 2 john john 4096 Apr 20 17:14 common/
lrwxrwxrwx 1 john john    3 Apr 20 17:14 current -> 558/

journalctl -xe

-- Subject: Unit UNIT has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit UNIT has failed.
-- 
-- The result is RESULT.
Apr 20 18:21:12 xubuntu systemd[3772]: snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope: Failed to add PIDs to scope's control group: Permission denied
Apr 20 18:21:12 xubuntu systemd[3772]: snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope: Failed with result 'resources'.
Apr 20 18:21:12 xubuntu systemd[3772]: Failed to start snap.hello-world.hello-world.4de7faab-fc60-4c57-b492-ce3416d6b6cd.scope.
-- Subject: Unit UNIT has failed

syslog

Why this? name="/home/e-smith/files/" and not "/home/e-smith/files/users/" ?

One thing to note is on this box I use SSSD logins for authentication. However, it doesn't appear to show any errors, and others without that type of login/authent still have the same issue.

Let me know if you want further information/tests. Happy to try and debug it.