Can't disable or modify snap package apparmor rules
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
New
|
Wishlist
|
Unassigned | ||
| snapd (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to disable snap chromium apparmor rules:
root@{HOSTNAME}:~# aa-complain snap.chromium.
Can't find chromium.
is correct, please run 'which snap.chromium.
environment set up in order to find the fully-qualified path and
use the full path as parameter.
root@{HOSTNAME}:~# aa-complain snap.chromium.
ERROR: Include file /var/lib/
root@{HOSTNAME}:~# aa-complain snap.chromium.
ERROR: Include file /var/lib/
root@{HOSTNAME}:~# aa-complain snap.chromium.
ERROR: Include file /var/lib/
It seems like no one has an answer on how these overly restricted rules can be disabled:
https:/
https:/
https:/
https:/
So I just got rid of apparmor which doesn't seem like the solution I was after, but it works great now:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
Please give us a way to modify (and keep the rules permanently modified even after snap updates) snap apparmor rules.
Thank you!
| John Johansen (jjohansen) wrote | #1 |
| Changed in apparmor (Ubuntu): | |
| importance: | Undecided → Wishlist |
| Seth Arnold (seth-arnold) wrote | #2 |
| John Johansen (jjohansen) wrote | #3 |
If you are admin of your system, you can manually replace snap profiles. But there are some caveats in that snapd doesn't really want this. It manages its profiles, dynamically regenerates and replaces them etc.
You are correct that the tooling doesn't work here. It expects the abstractions to be in the same directory as the profile, which snapd profiles dir doesn't do.
I put this as a wish list as its a feature development request to make the tooling support abstractions in a different location than the profile.