= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/proc/276267/mountinfo" pid=276267 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 o
uid=0
File: /proc/276267/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.bandwhich.bandwhich" pid=276267 comm="display_handler" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly
So I added and connected system-observe and mount-observe and re-ran. Same output in the application, no process names. Now I get this:
= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=282603 comm="snap-confine" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/
cpu.max" pid=282603 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/cpu.max (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/cpu.max'
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-[0-9]*d[0-9]*-[0-9]*c[0-9]*-[0-9]*da-ad[0-9]*-[0-9]*f[0-9]*e[0-9]*c[0-9]*.scope/cpu.max'
= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bandwhich.bandwhich" pid=282603 comm="display_handler" capability=2 capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly
So I added system-backup and it’s the same.
= AppArmor =
Time: 2023-09-21T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=334512 comm="snap-confine" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
= AppArmor =
Time: 2023-09-21T12:5
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max" pid=334512 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max'
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e[0-9]*aad[0-9]*d-[0-9]*f[0-9]*-[0-9]*a[0-9]*-[0-9]*db-[0-9]*cc[0-9]*d[0-9]*d[0-9]*.scope/cpu.max'
None of the remaining recommended plugs look right.
The snap-confine denial is a false positive and not actually something with your app, for the cpu.max thing I’d try a system-files interface and see if that solves it…
Seems like that app is merely a wrapper around lsof -n -P -i4 -i6 +c 0, so I’d try to run it with snap run --strace='-vf -s256 -e openat' and look for errors.