After upgrading my Debian box from stretch to buster, I had the following error on startup:
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
The app completely fails to start and nothing else happens. With @zyga-snapd on IRC, we were able to trace this back to an apparmor problem, as aa-status wouldn’t show any profile for the application(s) (full log). snap sandbox-features says:
apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal
confinement-options: classic devmode
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts-beta mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap
udev: device-cgroup-v1 tagging
The version of snapd in buster is 2.30-5+b1 and this is the output of snap version:
snap 2.34.3
snapd 2.34.3
series 16
debian -
kernel 4.17.0-1-amd64
The following error was found in journald:
aoû 22 15:28:06 curie snapd[1189]: 2018/08/22 15:28:06.844606 backend.go:303: cannot create host snap-confine apparmor configuration: cannot synchronize snap-confine apparmor profile: open /var/lib/snapd/apparmor/profiles/snap-confine.core.5145.dDP25MCqBC0L~: no such file or directory
A workaround was simply to reset the security key:
sudo rm /var/lib/snapd/system-key
This seems to have fixed the problem, at least in the short term, as the application correctly starts the apparmor profiles show up in aa-status.
This seems like a bug, if only in the upgrade path. I’d be happy to forward this in the Debian BTS if it’s a Debian-specific issue as well.
I hope that helps!