snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks - persistent livecd

Hello!

Can you please tell us more? Did this suddenly break but worked before? If so can you open a terminal and run "snap changes" followed by "snap tasks N" where N is the number of the last change.

Please add this along with, "snap version" to the bug report. Thanks!

Okey, I have newly installed persistent Ubuntu 18.04.1

Notepad++ is the first snap application I ever installed.
I always install Notepad++ via Ubuntu software center.
Notepad++ never worked after installation.

It thrown:

You need to connect this snap to the wine-platform-i386 snap.

snap connect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable

What I come up with for it to work:
firstly: snap disconnect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable
And only then: snap connect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable

Seemed to work well until I restart Ubuntu...

But, then after restarting Ubuntu. This error came up.
snap run notepad-plus-plus
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I could fix it temporary for this session of Ubuntu by
sudo apt -y purge snapd snap-confine
sudo apt install -y snapd

That would remove snapd and notepad++.
and reinstall snapd.

Then I would open Ubuntu software center and would be unable to find notepad++ listed in there.
After some search over the internet I found out that I need to install gnome plugin for ubuntu software center, for it to be listed and finally let me install it.

sudo apt -y install gnome-software-plugin-snap

Then finally after installation of Notepad++ I would get the same error.

You need to connect this snap to the wine-platform-i386 snap.

snap connect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable

I would disconnect
snap disconnect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable

and then snap connect notepad-plus-plus:wine-platform-plug wine-platform-i386:wine-base-stable

And everything works until the next restart of the operating system..........

So, this is a loop. I'm able to make it to work, but it won't launch after restart of the operating system.

When you say persistent, does that imply a live-CD environment or a regular "boot and install to HDD/SSD" mode? The error is not about interface connections but about a special profile for the confinement tool itself. Normally snapd installs this profile automatically but on your system, for some reason it does not happen. Today is a little bit late but perhaps you can provide the logs of the snapd system service? You can collect them with:

journalctl -u snapd.service

You can attach them here or add a comment, as you wish.

It's live-CD environment that uses casper-rw partition to save all the progress.
I used mkusb to get it all work.
https://help.ubuntu.com/community/mkusb#Quick_start_manual_and_mkusb_PPA

I'm sure that changes persist, and everything works as expected except notepad++ snap, as mentioned.

ubuntu@ubuntu:~$ journalctl -u snapd.service
-- Logs begin at Wed 2018-10-03 08:48:03 UTC, end at Fri 2018-10-05 18:26:59 UTC
Oct 03 08:48:04 ubuntu systemd[1]: Starting Snappy daemon...
Oct 03 08:48:07 ubuntu snapd[1996]: AppArmor status: apparmor is enabled and all
Oct 03 08:48:07 ubuntu snapd[1996]: 2018/10/03 08:48:07.462554 backend.go:125: s
Oct 03 08:48:07 ubuntu snapd[1996]: 2018/10/03 08:48:07.899824 helpers.go:119: e
Oct 03 08:48:07 ubuntu snapd[1996]: 2018/10/03 08:48:07.928371 daemon.go:343: st
Oct 03 08:48:07 ubuntu systemd[1]: Started Snappy daemon.
Oct 03 08:48:08 ubuntu snapd[1996]: 2018/10/03 08:48:08.240200 stateengine.go:10
Oct 03 08:48:31 ubuntu snapd[1996]: 2018/10/03 08:48:31.013974 backend.go:303: c
Oct 03 08:48:32 ubuntu snapd[1996]: 2018/10/03 08:48:32.617537 daemon.go:531: gr
Oct 03 08:48:32 ubuntu snapd[1996]: 2018/10/03 08:48:32.617580 daemon.go:533: do
Oct 03 08:48:33 ubuntu systemd[1]: snapd.service: Service hold-off time over, sc
Oct 03 08:48:33 ubuntu systemd[1]: snapd.service: Scheduled restart job, restart
Oct 03 08:48:33 ubuntu systemd[1]: Stopped Snappy daemon.
Oct 03 08:48:33 ubuntu systemd[1]: Starting Snappy daemon...
Oct 03 08:48:33 ubuntu snapd[3238]: AppArmor status: apparmor is enabled and all
Oct 03 08:48:33 ubuntu snapd[3238]: 2018/10/03 08:48:33.482074 backend.go:125: s
Oct 03 08:48:33 ubuntu snapd[3238]: 2018/10/03 08:48:33.485783 daemon.go:343: st
Oct 03 08:48:33 ubuntu systemd[1]: Started Snappy daemon.
Oct 03 08:48:33 ubuntu snapd[3238]: 2018/10/03 08:48:33.487327 stateengine.go:10
-- Reboot --
Oct 04 05:52:49 ubuntu systemd[1]: Starting Snappy daemon...
Oct 04 05:52:51 ubuntu snapd[1890]: AppArmor status: apparmor is enabled and all

Hey

I think this is not a supported configuration that we test automatically so perhaps we're missing something essential. Can you please run:

"sudo systemctl restart apparmor.service"

If this helps you out we need to determine why it did not run correctly on boot.

Tried with lots of variations either with sudo and without, didn't help out.

ubuntu@ubuntu:~$ notepad-plus-plus
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
ubuntu@ubuntu:~$ sudo notepad-plus-plus
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1: No such file or directory
ubuntu@ubuntu:~$ sudo systemctl restart apparmor.service
ubuntu@ubuntu:~$ systemctl restart apparmor.service
ubuntu@ubuntu:~$ sudo systemctl restart apparmor.service
ubuntu@ubuntu:~$ systemctl restart apparmor.service
ubuntu@ubuntu:~$ notepad-plus-plus
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
ubuntu@ubuntu:~$ sudo notepad-plus-plus
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

Can you inspect the status of apparmor.service?

systemctl status apparmor.service

journalctl -u apparmor.service

Normally apparmor.service loads the profile that snap-confine complains about on your system, I'm trying to determine why that didn't happen.

ubuntu@ubuntu:~$ notepad-plus-plus
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

ubuntu@ubuntu:~$ systemctl status apparmor.service
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset:
   Active: inactive (dead)
Condition: start condition failed at Tue 2018-10-09 15:29:57 UTC; 2h 2min ago
           └─ ConditionPathExists=!/rofs/etc/apparmor.d was not met
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/

ubuntu@ubuntu:~$ journalctl -u apparmor.service
-- Logs begin at Wed 2018-10-03 08:48:03 UTC, end at Tue 2018-10-09 17:31:53 UTC
-- No entries --

Ah, interesting! You can show the definition of unit with "systemctl cat apparmor.service" but I think what is happening is that on the live CD apparmor is not being started. It seems that /rofs/etc/apparmor.d is present and thus apparmor is _not_ started.

I don't quite understand the motivation for that but right now I would say that we boot to a broken state. Apparmor is enabled on boot in the kernel but the service is not functioning. To get around this one or the other has to change:

You can boot without apparmor by passing the kernel argument apparmor=0 in the boot loader. You can edit the service to remove the restriction and allow apparmor to start on a live CD environment.

I'm subscribing jdstrand to this bug to discuss why apparmor is not active in live CD.

The apparmor unit is intentionally not active on the live cd because most profiles need to be changed to operate in that state. This has been the case ever since apparmor was introduced in the distribution.

snapd was adjusted to query the system and determine if it is running under the livecd and adjusts the profiles accordingly for the live environment. By making those changes to the profiles, snapd reloads everything into the kernel.

What is not currently supported is rebooting into a persistent livecd such that the snap-confine profiles would be automatically loaded where the profiles already have the overlay profile updates on disk. snapd (or another unit) could load them though.

gnome-calculator, gnome-system-monitor and gnome-logs_gnome-logs are also affected and impossible to launch on the livecd.

Oct 16 09:32:59 ubuntu gnome-calculator_gnome-calculator.desktop[4098]: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

Oct 16 09:34:01 ubuntu gnome-system-monitor_gnome-system-monitor.desktop[4178]: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation

Oct 16 09:33:42 ubuntu gnome-logs_gnome-logs.desktop[4161]: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

Passing the kernel argument apparmor=0 in the boot loader,
did allowed me to launch them.

What are side effect of booting without apparmor? Should this argument be included by default on a persistent livecd, should we inform the author of https://help.ubuntu.com/community/mkusb about the need of changes?

Without apparmor snapd will work correctly but snaps will be mostly unconfined. I'm not sure if people should be using such an environment but perhaps that's what they want.