22.04.4 LTS snap firefox chromium permission problems

Arpagone · April 6, 2024, 8:52am

Hi,

I’m experiencing a permission problem with snap and Apparmor trying to run firefox or chromium. I’m running 22.04.4 LTS and Ubuntu Pro support enabled.

This is my snap version:

(base) pippo@Ganimede:~$ sudo snap version
snap    2.61.3+22.04
snapd   2.61.3+22.04
series  16
ubuntu  22.04
kernel  5.15.0-101-generic
(base) pippo@Ganimede:~$

When I run firefox or chromium they stops to start. If I try to launch them from terminal I get back those errors:

(base) pippo@Ganimede:~$ firefox
cannot create mount point for file "/tmp/snap.rootfs_vDF3Sz/README.md": Permission denied

(base) pippo@Ganimede:~$ chromium
cannot create mount point for file "/tmp/snap.rootfs_QFJXpv/README.md": Permission denied

If I go to read in syslog file I can find those lines:

Apr  6 08:31:50 Ganimede systemd[4846]: Started snap.snap-store.ubuntu-software-de50015d-5d40-460b-be18-2447e2344f53.scope.
Apr  6 08:31:50 Ganimede snap-store_ubuntu-software.desktop[11558]: cannot create mount point for file "/tmp/snap.rootfs_MwvIqr/README.md": Permission denied
Apr  6 08:31:50 Ganimede kernel: [ 3333.275378] kauditd_printk_skb: 57 callbacks suppressed
Apr  6 08:31:50 Ganimede kernel: [ 3333.275380] audit: type=1400 audit(1712385110.343:307): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11558 comm="snap-confine" capability=12  capname="net_admin"
Apr  6 08:31:50 Ganimede kernel: [ 3333.275385] audit: type=1400 audit(1712385110.343:308): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11558 comm="snap-confine" capability=38  capname="perfmon"
Apr  6 08:31:50 Ganimede kernel: [ 3333.276664] audit: type=1400 audit(1712385110.343:309): apparmor="DENIED" operation="mknod" profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_MwvIqr/README.md" pid=11558 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

I tried to refresh snap but it can’t complete the operations:

(base) pippo@Ganimede:~$ sudo snap refresh
[sudo] password for pippo: 
Download snap "firefox" (4090) from channel "latest/stable"    4%  772kB/s 47.7serror: cannot perform the following tasks:
- Run post-refresh hook of "firefox" snap if present (run hook "post-refresh": cannot create mount point for file "/tmp/snap.rootfs_kHleRT/README.md": Permission denied)
- Run configure hook of "chromium" snap if present (run hook "configure": cannot create mount point for file "/tmp/snap.rootfs_IPuR2q/README.md": Permission denied)
(base) pippo@Ganimede:~$

What can I do to fix this problem? Could you be so kind to give me a suggestion? Many thanks and regards, Arpagone

popey · April 6, 2024, 1:39pm

Is this in some kind of container? What does the (base) part of your prompt indicate? A virtual environment?

erichymowitz · July 31, 2024, 2:28pm

Is there any more info on this issue? One of my machines is experiencing this problem. I just applied all of the outstanding updates from April, May, and June.

(I’m not an Ubuntu expert, I’m just a sysadmin, so please bear with me as I try to answer your followup questions.)

I’m running /snap/bin/chromium which is a softlink to /usr/bin/snap

/var/log/syslog says

2024-07-31T14:20:40.266600+00:00 gs483-rbt1gui01 systemd[120188]: Started snap.chromium.chromium-ded1f424-5eb8-49ce-9aa2-f0d981b3a46c.scope.
2024-07-31T14:20:40.278525+00:00 gs483-rbt1gui01 systemd[120188]: snap.chromium.chromium-ded1f424-5eb8-49ce-9aa2-f0d981b3a46c.scope: Succeeded.
2024-07-31T14:20:57.664472+00:00 gs483-rbt1gui01 systemd[120188]: Started snap.chromium.chromium-12baf4c1-8718-4368-a1e5-69c71ba9a417.scope.
2024-07-31T14:20:57.678525+00:00 gs483-rbt1gui01 systemd[120188]: snap.chromium.chromium-12baf4c1-8718-4368-a1e5-69c71ba9a417.scope: Succeeded.

but my screen output says

ehymowit@gs483-rbt1gui01:~$ chromium
cannot create mount point for file "/tmp/snap.rootfs_SkOFQE/README.md": Permission denied
ehymowit@gs483-rbt1gui01:~$ chromium
cannot create mount point for file "/tmp/snap.rootfs_mr5oXp/README.md": Permission denied

Thanks.

popey · July 31, 2024, 3:21pm

Hi @erichymowitz

What’s the output of snap version?

Lin-Buo-Ren · July 31, 2024, 3:23pm

Please paste the output of the following commands to help us further debug this issue:

snap version
snap debug sandbox-features

erichymowitz · July 31, 2024, 4:17pm

So… my boss did some playing around that I didn’t understand, but I think he used aa-complain /usr/lib/snap/snap-confine and then aa-enforce /usr/lib/snap/snap-confine to reset something… so it was working earlier today. Hopefully it will continue working.

in the meantime…

root@gs483-rbt1gui01:/home/sehymowit# snap version
snap    2.63+20.04
snapd   2.63+20.04
series  16
ubuntu  20.04
kernel  5.4.0-187-generic

root@gs483-rbt1gui01:/home/sehymowit# snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:domain:attach_conditions kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:unsafe parser:xdp policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

erichymowitz · August 5, 2024, 6:20pm

The users rebooted the machine and the problem has returned.

sehymowit@gs483-rbt1gui01:~$ chromium
cannot create mount point for file "/tmp/snap.rootfs_RAQyPU/README.md": Permission denied
sehymowit@gs483-rbt1gui01:~$ chromium
cannot create mount point for file "/tmp/snap.rootfs_2jKe0K/README.md": Permission denied

root@gs483-rbt1gui01:/home/sehymowit# snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:domain:attach_conditions kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:unsafe parser:xdp policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

Worse, the combination aa-complain aa-enforce did not help, and did not fix our workaround. Firefox gives the error “Your Firefox profile cannot be loaded. It may be missing or inaccessible.”

(That’s probably a separate issue, but it makes the chromium problem more urgent since I have no alternative)