Ubuntu
snapd package

Apparmor denies updating namespace with ecryptfs

Bug #2062173 reported by Marco Tanner
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Invalid
High
Unassigned
snapd (Ubuntu)
In Progress
High
Zygmunt Krynicki

Bug Description

Noticed on Ubuntu 23.10. Started misbehaving on April 17th 2024.

$ snap info chromium
...
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: latest/stable
refresh-date: today at 08:58 CEST
channels:
  latest/stable: 123.0.6312.122 2024-04-15 (2821) 168MB -
...

When running chromium, it complains about not being able to open my home dir:
cannot update snap namespace: cannot expand mount entry (none $HOME/.local/share none x-snapd.kind=ensure-dir,x-snapd.must-exist-dir=$HOME 0 0): cannot use invalid home directory "/home/tannerli": permission denied
snap-update-ns failed with code 1

AppArmor log shows that access to ecryptfs private folder was denied:

Apr 18 13:13:21 hostname kernel: audit: type=1400 audit(1713438801.579:437): apparmor="DENIED" operation="open" class="file" profile="snap-update-ns.chromium" name="/home/.ecryptfs/tannerli/.Private/" pid=32412 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I found out, that, under /var/lib/snapd/apparmor/profiles, while snap.chromium.chromium has the line
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,

the file snap-update-ns.chromium does _not_ have the line. Adding it and reloading the profile allows chromium to start again.

I'm nowhere near experienced enough to tell whether this line should be added by default or something else went wrong on my machine.

Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Possible duplicate of LP:2062330.

Changed in chromium-browser (Ubuntu):
importance: Undecided → High
Changed in snapd (Ubuntu):
importance: Undecided → High
Zygmunt Krynicki (zyga)
Changed in snapd (Ubuntu):
assignee: nobody → Zygmunt Krynicki (zyga)
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is fixed by https://github.com/snapcore/snapd/pull/13857

Changed in snapd (Ubuntu):
status: New → In Progress
Changed in chromium-browser (Ubuntu):
status: New → Invalid
Revision history for this message
David E Auter (d-auter-cuo) wrote :

Also seen on Ubuntu 20.04.6 with latest/stable: 123.0.6312.122 2024-04-15 (2821) 168MB chromium snap.
Confirming that if I manually apply the patch given in https://github.com/snapcore/snapd/pull/13857 the issue is fixed.

But then when I refreshed chromium to latest/stable: 124.0.6367.60 2024-04-19 (2828) 169MB my patch got stepped on and I needed to reapply it. Don't know when the fix is expected to be incorporated in a snap refresh but until then it's easy enough to manually take care of.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

The fix has landed in snapd so it will be available in the latest/edge channel of snapd snap. If you refresh snapd with:

snap refresh --edge snapd

Then the fix will be immediately active.

You should refresh back to stable after the 2.63 release, unless you are comfortable daily-driving possibly unstable software.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.