Guest session cannot run snaps

Guest session is already confined with an apparmor profile. I think that there's no support for profile transitions there to run snap-confine and everything else but it might be doable

Yes, I know. I was referring to LightDM's guest session AppArmor profile.
I'll edit the description.

I only linked the bug to snapd to make it known to Snappy developers, and because the bug affects it.
The actual fix probably has to be made in that LightDM profile. So, sooner or later, the status for snapd should be changed to Invalid.

I had a go at this by adding the following to the lightdm apparmor config:

  /snap/ r,
  /snap/** rmixk,

But it wasn't able to mount the snaps. So there must be more config required.

Status changed to 'Confirmed' because the bug affects multiple users.

I just tested this on an up to date system and while the error is different, the bug still applies, because you can't run snaps as guest.

2016/11/24 00:15:12.522919 main.go:239: WARNING: cannot create syslog logger
internal error, please report: running "mame" failed: cannot list snaps: cannot communicate with server: Get http://localhost/v2/snaps: dial unix /run/snapd-snap.socket: connect: permission denied

<sarcasm>
This is fantastically cool decision to ship pre-installed Firefox web-browser as Snap.
It can't be started on freshly installed Ubuntu MATE 22.04 LTS. Very smart and efficient idea. Very useful for internet kiosks.
</sarcasm>

```
guest-t2chxy@m:~/Desktop$ firefox
2022/05/03 10:18:59.480499 tool_linux.go:82: cannot open snapd info file "/snap/snapd/current/usr/lib/snapd/info": open /snap/snapd/current/usr/lib/snapd/info: permission denied

guest-t2chxy@m:~/Desktop$ snap list
2022/05/03 10:26:00.694252 tool_linux.go:82: cannot open snapd info file "/snap/snapd/current/usr/lib/snapd/info": open /snap/snapd/current/usr/lib/snapd/info: permission denied

```

I can confirm this bug on Ubuntu MATE 22.04 LTS. Should you plan to fix it?

Status changed to 'Confirmed' because the bug affects multiple users.

6 Year old Bug, really?
I am frustrated with Ubuntu.

Don't change firefox to a snap package when you have problems like this canonical -__-

From duplicate bug #1981881: guest session can be enabled in Xubuntu 22.04 by creating the following file: /etc/lightdm/lightdm.conf.d/40-enable-guest.conf
with the following content:

    [Seat:*]
    allow-guest=true

And rebooting. At the login screen, one can select a guest session, and this problem with snaps can be reproduced.

I verified that Firefox in the guest account on the 6 years old Xubuntu 16.04 Xenial works.
So bug #1981881 is NOT a duplicate of this bug, because it affects Xubuntu 22.04 Jammy.

That was firefox packaged as a deb, right?
This issue is specifically with snaps.

I don't know if somebody changed something since 2022-05-03 (Comment #6 form @nrbrtx ), but my error message when starting firefox (snap) on Ubuntu Mate 22.04 in a guest session is different:

guest-qd9nle@ubrio22:~$ firefox
cannot create user data directory: /tmp/guest-qd9nle/snap/firefox/1860: Permission denied

I don't understand why there appears this Permission denied, as in /etc/apparmor.d/abstractions/lightdm the permission is: "owner /tmp/** rwlkmix,", so it seems to be ok. And more: the directory /tmp/guest-qd9nle/snap/firefox/1860 is created, despite the message.

Hi AG-Ubrio, the profile that you should check is not the lightdm one, but this:

  /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

It doesn't matter much, though, since this also has the rule

  /tmp/** mrwlkix,

Can you please check in the logs, if you get some apparmor denials when running firefox? You could run the command

    journalctl -f -t audit

then start firefox, and paste here the output from the first command. Also, if you say that the directory is created, it would be interesting to know what are its permissions.

Hi Alberto, the audit log output when starting firefox is the following:

Sep 23 06:49:13 ub22mate audit[5486]: AVC apparmor="DENIED" operation="mkdir" profile="/snap/snapd/16778/usr/lib/snapd/snap-confine" name="/tmp/guest-tikhhx/" pid=5486 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=997 ouid=997

The permissions of the created directory are:
guest-tikhhx@ub22mate:~$ ls -la /tmp/guest-tikhhx/snap/firefox/
insgesamt 0
drwxr-xr-x 4 guest-tikhhx guest-tikhhx 100 Sep 23 06:49 .
drwx------ 3 guest-tikhhx guest-tikhhx 60 Sep 23 06:49 ..
drwxr-xr-x 2 guest-tikhhx guest-tikhhx 40 Sep 23 06:49 1860
drwxr-xr-x 2 guest-tikhhx guest-tikhhx 40 Sep 23 06:49 common
lrwxrwxrwx 1 guest-tikhhx guest-tikhhx 4 Sep 23 06:49 current -> 1860

And just to be clear: this seems to be a Snap problem, not a Firefox problem, as the Snaps of Chromium, Opera and Skype show same behaviour.