Snap AppArmor Permissions

Hello everyone,

I tried installing snaps either from the command line and through Bauh but they will not run. As an example here is the output from vlc:

2020/03/07 09:50:30.585647 cmd_run.go:884: WARNING: cannot create user data directory: cannot create "/home/myuser/snap/vlc/common": mkdir /home/myuser/snap/vlc/common: permission denied
cannot create user data directory: /home/myuser/snap/vlc/1397: Not a directory

Searching the ArchWiki it appears to be an issue with AppArmor's Confinement.

So here is the output from sudo aa-status |grep vlc

snap-update-ns.vlc
snap.vlc.vlc

And the output from dmesg

[52259.436418] audit: type=1400 audit(1583567732.951:1393): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9414 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[52259.436421] audit: type=1400 audit(1583567732.951:1394): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9414 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[52259.436423] audit: type=1400 audit(1583567732.951:1395): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/etc/nsswitch.conf" pid=9414 comm="snap-device-hel" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[52259.436425] audit: type=1400 audit(1583567732.951:1396): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/snapd/snap-confine" name="/usr/lib/libnss_files-2.31.so" pid=9414 comm="snap-device-hel" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
[52259.437544] audit: type=1400 audit(1583567732.954:1397): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9415 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[52259.437546] audit: type=1400 audit(1583567732.954:1398): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9415 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[52259.437548] audit: type=1400 audit(1583567732.954:1399): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/etc/nsswitch.conf" pid=9415 comm="snap-device-hel" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[52259.437554] audit: type=1400 audit(1583567732.954:1400): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/snapd/snap-confine" name="/usr/lib/libnss_files-2.31.so" pid=9415 comm="snap-device-hel" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
[52259.438582] audit: type=1400 audit(1583567732.954:1401): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9416 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[52259.438585] audit: type=1400 audit(1583567732.954:1402): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=9416 comm="snap-device-hel" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none

If I try ti remove the snap the following error appears:

error: cannot perform the following tasks:
Remove data for snap "vlc" (1397) (unlinkat /home/myuser/snap/vlc/1397/bin: read-only file system)

Any suggestions?

Did you properly setup apparmor?

sudo systemctl enable apparmor
sudo systemctl enable snapd.apparmor
sudo systemctl enable snapd

Add the following to your /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="... security=apparmor apparmor=1 ..."

Then do sudo update-grub and reboot your system.

Thanks for the reply.

The system was recently clean installed with version 19 - Gnome.

Everything is as you stated. Outputs:

apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2020-03-06 19:24:38 EET; 22h ago
Main PID: 415 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/apparmor.service

snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
Loaded: loaded (/usr/lib/systemd/system/snapd.apparmor.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2020-03-06 19:24:38 EET; 22h ago
Main PID: 741 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/snapd.apparmor.service

snapd.service - Snappy daemon
Loaded: loaded (/usr/lib/systemd/system/snapd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-03-06 19:24:39 EET; 22h ago
Main PID: 943 (snapd)
Tasks: 30 (limit: 4915)
Memory: 383.4M
CGroup: /system.slice/snapd.service
└─943 /usr/lib/snapd/snapd

Μαρ 06 19:48:51 ArchRyzen snapd[943]: api.go:986: Installing snap "sosumi" revision unset
Μαρ 06 20:22:01 ArchRyzen snapd[943]: api.go:986: Installing snap "sosumi" revision unset
Μαρ 06 20:23:24 ArchRyzen snapd[943]: api.go:986: Installing snap "sosumi" revision unset
Μαρ 07 00:14:39 ArchRyzen snapd[943]: storehelpers.go:436: cannot refresh: snap has no updates available:>
Μαρ 07 00:14:39 ArchRyzen snapd[943]: autorefresh.go:397: auto-refresh: all snaps are up-to-date
Μαρ 07 08:55:42 ArchRyzen snapd[943]: api.go:986: Installing snap "vlc" revision unset
Μαρ 07 10:44:40 ArchRyzen snapd[943]: storehelpers.go:436: cannot refresh: snap has no updates available:>
Μαρ 07 10:44:40 ArchRyzen snapd[943]: autorefresh.go:397: auto-refresh: all snaps are up-to-date
Μαρ 07 16:19:40 ArchRyzen snapd[943]: storehelpers.go:436: cannot refresh: snap has no updates available:>
Μαρ 07 16:19:40 ArchRyzen snapd[943]: autorefresh.go:397: auto-refresh: all snaps are up-to-date

GRUB_DEFAULT=saved
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=hidden
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor udev.log_priority=3"
GRUB_CMDLINE_LINUX=""

Then check the permissions of the snap dir in your home directory. You can also create a new user and try there.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by