snapd

cannot read mount namespace identifier of pid 1: Permission denied, on OpenSUSE Tumbleweed with Linux 5.0

Bug #1821396 reported by Linus Kardell on 2019-03-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Fix Released	High	Zygmunt Krynicki

Bug Description

When I try to run a snap I get an error message saying `cannot read mount namespace identifier of pid 1: Permission denied`, and in /var/log/audit/audit.log I get `type=AVC msg=audit(1553279757.513:482): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=24430 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"`.
This is on OpenSUSE Tumbleweed 20190318 with Linus 15.0.2 (`Linux sudda.kvasta 5.0.2-1-default #1 SMP Thu Mar 14 08:29:17 UTC 2019 (d1f1d19) x86_64 x86_64 x86_64 GNU/Linux`).

Zygmunt Krynicki (zyga) on 2019-03-22

Changed in snapd:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Zygmunt Krynicki (zyga)

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-10-07:

Hello

Are you still getting this issue with snapd 2.41?

Changed in snapd:
status:	Triaged → Incomplete

Revision history for this message

Linus Kardell (linagkar) wrote on 2019-10-07:

No, it seems like it went away now.

Zygmunt Krynicki (zyga) on 2019-10-08

Changed in snapd:
status:	Incomplete → Fix Released

Revision history for this message

Linus Kardell (linagkar) wrote on 2019-10-08:

Now it's happening again. Earlier I updated snapd (from 2.39) and the problem went away, but then it came back after a reboot. Now I reinstalled snapd, and the problem went away again, and rebooted again and the problem came back. So it seems it works properly from when update snapd until I reboot.

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-10-09:

Hello

Can you look at /var/log/audit/audit.log and check what kind of DENIED messages (grep for them please) are reported?

Can you separately check the status of: systemctl status snapd.apparmor.service -- I wonder if the service is enabled and running.

Revision history for this message

Linus Kardell (linagkar) wrote on 2019-10-10:

denied.audit.log Edit (27.1 KiB, text/plain)

I've attached the output of "grep DENIED /var/log/audit/audit.log".

snapd.apparmor.service seems to be have run correctly:

● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
   Loaded: loaded (/usr/lib/systemd/system/snapd.apparmor.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2019-10-10 16:17:55 CEST; 27min ago
Main PID: 1612 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
   CGroup: /system.slice/snapd.apparmor.service

okt 10 16:17:55 sudda systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
okt 10 16:17:55 sudda systemd[1]: Started Load AppArmor profiles managed internally by snapd.

Revision history for this message

Linus Kardell (linagkar) wrote on 2020-04-07:

I think I've now managed to resolve this, bases on things I learned from https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141. In /etc/apparmor.d/, in addition to usr.lib.snapd.snap-confine I also had usr.lib.snapd.snap-confine.rpmsave and usr.lib.snapd.snap-confine.old. The latter is presumably some backup I made when editing usr.lib.snapd.snap-confine, but I don't remember. After removing it and restarting apparmor, snaps work again.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

denied.audit.log Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.