snapd is not removing apparmor profiles when removing snaps
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
New
|
Undecided
|
Unassigned |
Bug Description
Removing a snap is not removing related apparmor profiles from the kernel:
$ snap install bluez
$ snap remove bluez
$ snap list
Name Version Rev Tracking Publisher Notes
core 16-2.48.2.1 10828 latest/stable canonical✓ core
core18 20210128 1990 latest/stable canonical✓ base
lxd 4.0.5 19206 4.0/stable/… canonical✓ -
snapd 2.48.2.1 11043 latest/stable canonical✓ snapd
$ sudo apparmor_status
apparmor module is loaded.
56 profiles are loaded.
56 profiles are in enforce mode.
...
snap-
snap-
snap-
snap.
snap.bluez.bluez
snap.
snap.
snap.bluez.btmon
snap.
snap.
snap.
snap.
snap.
snap.bluez.obex
snap.
snap.
...
stracing snapd while removing the snap reveals that is is calling "apparmor_parser --replace" insted of "--remove": https:/
This is an old problem, extensively documented in the code (interfaces/ apparmor/ apparmor. go) and explained in more detail by Jamie in the existing bug: https:/ /bugs.launchpad .net/snapd/ +bug/1818241
Marking as duplicate.