snapd is not removing apparmor profiles when removing snaps

Bug #1915823 reported by Alfonso Sanchez-Beato
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Removing a snap is not removing related apparmor profiles from the kernel:

$ snap install bluez
$ snap remove bluez
$ snap list
Name Version Rev Tracking Publisher Notes
core 16- 10828 latest/stable canonical✓ core
core18 20210128 1990 latest/stable canonical✓ base
lxd 4.0.5 19206 4.0/stable/… canonical✓ -
snapd 11043 latest/stable canonical✓ snapd
$ sudo apparmor_status
apparmor module is loaded.
56 profiles are loaded.
56 profiles are in enforce mode.

stracing snapd while removing the snap reveals that is is calling "apparmor_parser --replace" insted of "--remove":

Revision history for this message
Paweł Stołowski (stolowski) wrote :

This is an old problem, extensively documented in the code (interfaces/apparmor/apparmor.go) and explained in more detail by Jamie in the existing bug:

Marking as duplicate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.