1. in a livecd, perform 'sudo aa-status'. This showed no apparmor profiles were loaded
2. install a deb with https://github.com/snapcore/snapd/pull/4714. The act of installing the deb runs apparmor_parser on the snap-confine profile, so to simulate a fresh boot, I then unloaded the profiles with: sudo apparmor_parser -R /etc/apparmor.d/*snap-confine* (and confirmed with aa-status they weren't loaded
3. sudo snap install hello-world
4. sudo aa-status (this showed the snap-confine profiles from the core snap were loaded, along with the hello-world profiles, but *not* the snap-confine profile from /etc/apparmor.d
5. ran hello-world:
$ hello-world
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
I tested to see if the changes in https:/ /github. com/snapcore/ snapd/pull/ 4714 would address this bug. I did this by:
1. in a livecd, perform 'sudo aa-status'. This showed no apparmor profiles were loaded /github. com/snapcore/ snapd/pull/ 4714. The act of installing the deb runs apparmor_parser on the snap-confine profile, so to simulate a fresh boot, I then unloaded the profiles with: sudo apparmor_parser -R /etc/apparmor. d/*snap- confine* (and confirmed with aa-status they weren't loaded
2. install a deb with https:/
3. sudo snap install hello-world
4. sudo aa-status (this showed the snap-confine profiles from the core snap were loaded, along with the hello-world profiles, but *not* the snap-confine profile from /etc/apparmor.d
5. ran hello-world:
$ hello-world
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Therefore, https:/ /github. com/snapcore/ snapd/pull/ 4714 is *not* sufficient to fix this bug. Once I do:
$ sudo apparmor_parser -r /etc/apparmor. d/*snap- confine*
Then strict and classic mode snaps work.