Bitwarden won't launch - permission denied on .last_revision

> snap run --trace-exec bitwarden                                    
/snap/bitwarden/110/desktop-init.sh: line 14: /home/yamiyuki/snap/bitwarden/110/.last_revision: Permission denied
Slowest 3 exec calls during snap run:
  0.030s /snap/snapd/21759/usr/lib/snapd/snap-confine
  0.007s /usr/lib/snapd/snap-exec
  0.008s /snap/bitwarden/110/command.sh
Total time: 0.053s
error: exit status 1

I checked its UNIX permissions and all seems to be in order:

-rw-rw-r-- 1 yamiyuki yamiyuki 31 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/110/.last_revision

I purged it beforehand, and this one is a clean install

Out of interest, what’s the permissions on the current folder/symlink and the permissions on the 110 folder themselves?

> ls -ld /home/yamiyuki/snap/bitwarden/110/             
drwxr-xr-x 1 yamiyuki yamiyuki 54 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/110/

> ls -ld /home/yamiyuki/snap/bitwarden/                 
drwxr-xr-x 1 yamiyuki yamiyuki 32 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/

> ls -ld /home/yamiyuki/snap/bitwarden/current 
lrwxrwxrwx 1 yamiyuki yamiyuki 3 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/current -> 110

It’s far enough into the initialisation that snappy-debug could prove useful. Could you please try sudo snap install snappy-debug, and then snap run snappy-debug in a second terminal, whilst running Bitwarden.

Hopefully it’ll help paint a clearer picture of what’s going on :slight_smile:

Just this:

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bitwarden.bitwarden" pid=2119433 comm="desktop-init.sh" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

Here’s the full message, which has a lot of other snaps in there:

kernel.printk_ratelimit = 0
= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4443/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4443/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4710/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4710/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4963/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4963/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/390731/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/390731/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.jellyfinmediaplayer.jellyfinmediaplayer"
Ptrace: peer=snap.jellyfinmediaplayer.jellyfinmediaplayer (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.thunderbird.thunderbird"
Ptrace: peer=snap.thunderbird.thunderbird (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bitwarden.bitwarden" pid=2119433 comm="desktop-init.sh" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4443/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4443/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4710/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4710/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4963/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4963/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/390731/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/390731/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.jellyfinmediaplayer.jellyfinmediaplayer"
Ptrace: peer=snap.jellyfinmediaplayer.jellyfinmediaplayer (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.thunderbird.thunderbird"
Ptrace: peer=snap.thunderbird.thunderbird (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:28" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:28 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:79" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:79 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c5:2" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c5:2 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:56" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:56 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:18" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:18 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:1" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:1 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:46" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:46 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:70" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:70 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:36" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:36 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:87" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:87 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:26" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:26 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:77" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:77 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:54" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:54 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:16" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:16 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:44" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:44 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:95" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:95 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c5:1" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c5:1 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:68" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:68 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:34" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:34 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:85" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:85 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:62" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:62 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:24" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:24 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:75" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:75 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:8" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:8 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:52" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:52 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:14" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:14 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:42" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:42 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:66" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:66 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:32" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:32 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:60" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:60 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

Hm… I would try adding ‘system-backup’ plug and check if it helped :slight_smile:

Did you removed the snap before using snap remove --purge? Also, try removing the $HOME/snap/bitwarden folder once again, even if you did purge the snap before. I tried in 24.04 and it was completely fine.

Strange. Still no dice

I made sure that Bitwarden isn’t in /snap and ~/snap

└[~]> sudo snap remove --purge bitwarden  
bitwarden removed
└[~]> sudo snap install bitwarden         
bitwarden 2024.5.0 from 8bit Solutions LLC (bitwarden✓) installed
└[~]> ls -l /snap/bitwarden 
total 4
drwxrwxrwx 10 root root 586 May 21 15:31 110
lrwxrwxrwx  1 root root   3 Jun  8 18:57 current -> 110
> ls -l snap/bitwarden 
total 4
drwxr-xr-x 1 yamiyuki yamiyuki 54 Jun  8 18:59 110
drwxr-xr-x 1 yamiyuki yamiyuki 12 Jun  8 18:59 common
lrwxrwxrwx 1 yamiyuki yamiyuki  3 Jun  8 18:57 current -> 110
└[~]> snap run --trace-exec bitwarden   
/snap/bitwarden/110/desktop-init.sh: line 14: /home/yamiyuki/snap/bitwarden/110/.last_revision: Permission denied
Slowest 4 exec calls during snap run:
  0.497s snap-update-ns
  0.531s /snap/snapd/21759/usr/lib/snapd/snap-confine
  0.009s /usr/lib/snapd/snap-exec
  0.008s /snap/bitwarden/110/command.sh
Total time: 0.557s
error: exit status 1
└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.  
└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.last_revision
ls: cannot access '/home/yamiyuki/snap/bitwarden/110/.last_revision': No such file or directory

This is after I launched from GUI:

└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.last_revision
-rw-rw-r-- 1 yamiyuki yamiyuki 31 Jun  8 18:59 /home/yamiyuki/snap/bitwarden/110/.last_revision
└[~]> cat /home/yamiyuki/snap/bitwarden/110/.last_revision
SNAP_DESKTOP_LAST_REVISION=110
└[~]> snap --version 
snap    2.63
snapd   2.63
series  16
tuxedo  22.04
kernel  6.5.0-10040-tuxedo

Strange, I just checked journal, and it’s trying to get inside my Documents (stored in my separate internal HDD)

> sudo journalctl -f | grep -e bitwarden                 
Jun 08 19:09:58 Y4M1-II systemd[4441]: Started snap.bitwarden.bitwarden-2ae4b4b7-2663-44e2-8edd-797af60a4a53.scope.
Jun 08 19:09:58 Y4M1-II audit[2186979]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=2186979 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jun 08 19:09:58 Y4M1-II audit[2186982]: AVC apparmor="DENIED" operation="rmdir" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=2186982 comm="rmdir" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

You should really mention tuxedo in the subject line when opening such threads. Given that tuxedo actively tries to prevent snap execution in their OS as you have shown in another (the zoom) thread, this information is kind of essential for the supporters…

I don’t think it’s Tuxedo, as I tested with standard KDE Neon just now:

Jun 10 20:46:58 Raven-Neon systemd[1512]: Started Bitwarden - Password Manager.
Jun 10 20:46:58 Raven-Neon systemd[1512]: Started snap.bitwarden.bitwarden-40a4110d-6e98-4ba7-bfcb-267458c5ddbe.scope.
Jun 10 20:47:13 Raven-Neon systemd[1512]: Started Bitwarden - Password Manager.
Jun 10 20:47:13 Raven-Neon systemd[1512]: Started snap.bitwarden.bitwarden-34dc2cfd-1874-4629-9d8d-1aa8f633972d.scope.
$ snap --version
snap    2.63
snapd   2.63
series  16
neon    22.04
kernel  6.9.3-1-liquorix-amd64

Also, they were willing to at least look into the os-release issue from the other thread.

Well, again not some standard ubuntu, where does that kernel come from, does it use the ubuntu SAUCE security patches, does it have the correct configuration options enabled etc etc…

2 Likes

Liquorix is custom kernel available at https://liquorix.net/ Probably they don’t ship Ubuntu patches

right, and snapd will simply not know about this if the kernel gets blindly replaced … so it can not cater for potential differences it does not know about … replacing a kernel with a completely unsupported one is actively breaking snap behavior …

But, I think we should work on this. We should make this format agnostic even to kernels. Why should we even rely something from the system? ( I know apparmor, but still, can’t we do anything is such cases?)

1 Like

We already do for all known distros, snapd knows where the confinement has to be used in a degraded manner, but we can not easily protect against people installing random third party kernels from some website

1 Like

This seems relevant here, do you have your Downloads/Documents/Music/etc folders symlinked to an external drive?

Try set those links up as a bind mount in /etc/fstab instead. If they’re symlinks, it could be that AppArmor is seeing their true path and blocking access.

2 Likes

It’s not symlinked at all. I had them directly mapped there

> ls -l /media/DATA/WDB4TB/yamiyuki/   
total 568316
drwxrwxr-x 1 yamiyuki yamiyuki      1204 Jun 10 03:14 backup
drwxrwxr-x 1 yamiyuki yamiyuki       344 Apr 29  2019 DatomicUSB
drwxr-x--- 1 yamiyuki yamiyuki      2072 Jun 11 21:08 Documents
drwxrwxr-x 1 yamiyuki yamiyuki      5082 Jun 15 18:37 Downloads
drwxrwxr-x 1 yamiyuki yamiyuki       706 Jun 11 21:08 Nextcloud
drwxrwxr-x 1 yamiyuki yamiyuki       154 Dec  8  2018 Notes
drwxrwxr-x 1 yamiyuki yamiyuki      3054 Mar  2 09:41 Pictures
drwxr-xr-- 1 yamiyuki yamiyuki       418 Apr 29 19:58 Projects
drwxrwxr-x 1 yamiyuki yamiyuki         0 Jun  8 00:07 Public
drwxrwxr-x 1 yamiyuki yamiyuki         0 Jun  8 00:08 Templates
drwxrwxr-x 1 yamiyuki yamiyuki        14 Apr 14 16:31 VMs

Have you informed snapd you’re using a non-standard $HOME?

sudo snap set system homedirs=/media/DATA/WDB4TB`

Followed by a reboot, let us know if it persists.

My standard home is still in /home. The dot directories are still there.

Documents, Downloads & Pictures are in 1 drive, while my Music & Videos are in another drive

Good news! We can disregard Tuxedo OS as a variable, as my ThinkPad X1 Yoga with single drive and more standard partition works perfectly fine.

sorry. I installed it while back, but I forgot about it as I haven’t used it actively in a few months,

Operating System: TUXEDO OS 3
KDE Plasma Version: 6.1.0
KDE Frameworks Version: 6.3.0
Qt Version: 6.7.0
Kernel Version: 6.5.0-10040-tuxedo (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-10510U CPU @ 1.80GHz
Memory: 15.3 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics
Manufacturer: LENOVO
Product Name: 20SA0002US
System Version: ThinkPad X1 Yoga 4th
$ snap version
snap    2.63+22.04
snapd   2.63+22.04
series  16
tuxedo  22.04
kernel  6.5.0-10040-tuxedo