Bitwarden won't launch - permission denied on .last_revision

YamiYukiSenpai · June 8, 2024, 5:12am

> ls -ld /home/yamiyuki/snap/bitwarden/110/             
drwxr-xr-x 1 yamiyuki yamiyuki 54 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/110/

> ls -ld /home/yamiyuki/snap/bitwarden/                 
drwxr-xr-x 1 yamiyuki yamiyuki 32 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/

> ls -ld /home/yamiyuki/snap/bitwarden/current 
lrwxrwxrwx 1 yamiyuki yamiyuki 3 Jun  7 23:44 /home/yamiyuki/snap/bitwarden/current -> 110

James-Carroll · June 8, 2024, 10:14am

It’s far enough into the initialisation that snappy-debug could prove useful. Could you please try sudo snap install snappy-debug, and then snap run snappy-debug in a second terminal, whilst running Bitwarden.

Hopefully it’ll help paint a clearer picture of what’s going on

YamiYukiSenpai · June 8, 2024, 7:38pm

Just this:

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bitwarden.bitwarden" pid=2119433 comm="desktop-init.sh" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

Here’s the full message, which has a lot of other snaps in there:

kernel.printk_ratelimit = 0
= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4443/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4443/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4710/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4710/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4963/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4963/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/390731/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/390731/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.jellyfinmediaplayer.jellyfinmediaplayer"
Ptrace: peer=snap.jellyfinmediaplayer.jellyfinmediaplayer (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.thunderbird.thunderbird"
Ptrace: peer=snap.thunderbird.thunderbird (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bitwarden.bitwarden" pid=2119433 comm="desktop-init.sh" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4443/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4443/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4710/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4710/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/4963/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/4963/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.firefox.firefox"
Ptrace: peer=snap.firefox.firefox (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.discord.discord" name="/proc/390731/cmdline" pid=6221 comm="Utils" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/390731/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.jellyfinmediaplayer.jellyfinmediaplayer"
Ptrace: peer=snap.jellyfinmediaplayer.jellyfinmediaplayer (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="snap.thunderbird.thunderbird"
Ptrace: peer=snap.thunderbird.thunderbird (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:33
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=6221 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:28" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:28 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:79" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:79 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c5:2" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c5:2 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:56" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:56 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:18" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:18 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:1" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:1 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:46" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:46 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:70" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:70 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:36" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:36 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:87" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:87 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:26" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:26 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:77" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:77 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:54" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:54 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:16" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:16 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:44" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:44 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:95" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:95 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c5:1" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c5:1 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:68" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:68 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:34" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:34 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:85" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:85 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:62" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:62 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:24" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:24 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:75" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:75 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:8" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:8 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:52" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:52 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:14" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:14 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:42" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:42 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:66" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:66 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:32" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:32 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Jun  8 15:36:35
Log: apparmor="DENIED" operation="open" class="file" profile="snap.jellyfinmediaplayer.jellyfinmediaplayer" name="/run/udev/data/c4:60" pid=2050201 comm="InputCEC" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /run/udev/data/c4:60 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

KhazAkar · June 8, 2024, 9:17pm

YamiYukiSenpai:

Just this:

= AppArmor =
Time: Jun  8 15:36:28
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bitwarden.bitwarden" pid=2119433 comm="desktop-init.sh" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

Hm… I would try adding ‘system-backup’ plug and check if it helped

soumyaDghosh · June 8, 2024, 10:13pm

Did you removed the snap before using snap remove --purge? Also, try removing the $HOME/snap/bitwarden folder once again, even if you did purge the snap before. I tried in 24.04 and it was completely fine.

YamiYukiSenpai · June 8, 2024, 11:04pm

Strange. Still no dice

I made sure that Bitwarden isn’t in /snap and ~/snap

└[~]> sudo snap remove --purge bitwarden  
bitwarden removed
└[~]> sudo snap install bitwarden         
bitwarden 2024.5.0 from 8bit Solutions LLC (bitwarden✓) installed
└[~]> ls -l /snap/bitwarden 
total 4
drwxrwxrwx 10 root root 586 May 21 15:31 110
lrwxrwxrwx  1 root root   3 Jun  8 18:57 current -> 110
> ls -l snap/bitwarden 
total 4
drwxr-xr-x 1 yamiyuki yamiyuki 54 Jun  8 18:59 110
drwxr-xr-x 1 yamiyuki yamiyuki 12 Jun  8 18:59 common
lrwxrwxrwx 1 yamiyuki yamiyuki  3 Jun  8 18:57 current -> 110
└[~]> snap run --trace-exec bitwarden   
/snap/bitwarden/110/desktop-init.sh: line 14: /home/yamiyuki/snap/bitwarden/110/.last_revision: Permission denied
Slowest 4 exec calls during snap run:
  0.497s snap-update-ns
  0.531s /snap/snapd/21759/usr/lib/snapd/snap-confine
  0.009s /usr/lib/snapd/snap-exec
  0.008s /snap/bitwarden/110/command.sh
Total time: 0.557s
error: exit status 1
└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.  
└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.last_revision
ls: cannot access '/home/yamiyuki/snap/bitwarden/110/.last_revision': No such file or directory

This is after I launched from GUI:

└[~]> ls -l /home/yamiyuki/snap/bitwarden/110/.last_revision
-rw-rw-r-- 1 yamiyuki yamiyuki 31 Jun  8 18:59 /home/yamiyuki/snap/bitwarden/110/.last_revision
└[~]> cat /home/yamiyuki/snap/bitwarden/110/.last_revision
SNAP_DESKTOP_LAST_REVISION=110

└[~]> snap --version 
snap    2.63
snapd   2.63
series  16
tuxedo  22.04
kernel  6.5.0-10040-tuxedo

Strange, I just checked journal, and it’s trying to get inside my Documents (stored in my separate internal HDD)

> sudo journalctl -f | grep -e bitwarden                 
Jun 08 19:09:58 Y4M1-II systemd[4441]: Started snap.bitwarden.bitwarden-2ae4b4b7-2663-44e2-8edd-797af60a4a53.scope.
Jun 08 19:09:58 Y4M1-II audit[2186979]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=2186979 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jun 08 19:09:58 Y4M1-II audit[2186982]: AVC apparmor="DENIED" operation="rmdir" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=2186982 comm="rmdir" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

ogra · June 9, 2024, 9:52am

You should really mention tuxedo in the subject line when opening such threads. Given that tuxedo actively tries to prevent snap execution in their OS as you have shown in another (the zoom) thread, this information is kind of essential for the supporters…

YamiYukiSenpai · June 11, 2024, 12:49am

I don’t think it’s Tuxedo, as I tested with standard KDE Neon just now:

Jun 10 20:46:58 Raven-Neon systemd[1512]: Started Bitwarden - Password Manager.
Jun 10 20:46:58 Raven-Neon systemd[1512]: Started snap.bitwarden.bitwarden-40a4110d-6e98-4ba7-bfcb-267458c5ddbe.scope.
Jun 10 20:47:13 Raven-Neon systemd[1512]: Started Bitwarden - Password Manager.
Jun 10 20:47:13 Raven-Neon systemd[1512]: Started snap.bitwarden.bitwarden-34dc2cfd-1874-4629-9d8d-1aa8f633972d.scope.

$ snap --version
snap    2.63
snapd   2.63
series  16
neon    22.04
kernel  6.9.3-1-liquorix-amd64

Also, they were willing to at least look into the os-release issue from the other thread.

ogra · June 11, 2024, 10:14am

Well, again not some standard ubuntu, where does that kernel come from, does it use the ubuntu SAUCE security patches, does it have the correct configuration options enabled etc etc…

KhazAkar · June 11, 2024, 12:49pm

Liquorix is custom kernel available at https://liquorix.net/ Probably they don’t ship Ubuntu patches

ogra · June 11, 2024, 12:53pm

right, and snapd will simply not know about this if the kernel gets blindly replaced … so it can not cater for potential differences it does not know about … replacing a kernel with a completely unsupported one is actively breaking snap behavior …

soumyaDghosh · June 11, 2024, 3:56pm

But, I think we should work on this. We should make this format agnostic even to kernels. Why should we even rely something from the system? ( I know apparmor, but still, can’t we do anything is such cases?)

ogra · June 11, 2024, 4:09pm

We already do for all known distros, snapd knows where the confinement has to be used in a degraded manner, but we can not easily protect against people installing random third party kernels from some website

James-Carroll · June 11, 2024, 4:09pm

This seems relevant here, do you have your Downloads/Documents/Music/etc folders symlinked to an external drive?

Try set those links up as a bind mount in /etc/fstab instead. If they’re symlinks, it could be that AppArmor is seeing their true path and blocking access.

YamiYukiSenpai · June 16, 2024, 12:17am

It’s not symlinked at all. I had them directly mapped there

> ls -l /media/DATA/WDB4TB/yamiyuki/   
total 568316
drwxrwxr-x 1 yamiyuki yamiyuki      1204 Jun 10 03:14 backup
drwxrwxr-x 1 yamiyuki yamiyuki       344 Apr 29  2019 DatomicUSB
drwxr-x--- 1 yamiyuki yamiyuki      2072 Jun 11 21:08 Documents
drwxrwxr-x 1 yamiyuki yamiyuki      5082 Jun 15 18:37 Downloads
drwxrwxr-x 1 yamiyuki yamiyuki       706 Jun 11 21:08 Nextcloud
drwxrwxr-x 1 yamiyuki yamiyuki       154 Dec  8  2018 Notes
drwxrwxr-x 1 yamiyuki yamiyuki      3054 Mar  2 09:41 Pictures
drwxr-xr-- 1 yamiyuki yamiyuki       418 Apr 29 19:58 Projects
drwxrwxr-x 1 yamiyuki yamiyuki         0 Jun  8 00:07 Public
drwxrwxr-x 1 yamiyuki yamiyuki         0 Jun  8 00:08 Templates
drwxrwxr-x 1 yamiyuki yamiyuki        14 Apr 14 16:31 VMs

James-Carroll · June 16, 2024, 9:20am

Have you informed snapd you’re using a non-standard $HOME?

sudo snap set system homedirs=/media/DATA/WDB4TB`

Followed by a reboot, let us know if it persists.

YamiYukiSenpai · June 18, 2024, 8:33pm

My standard home is still in /home. The dot directories are still there.

Documents, Downloads & Pictures are in 1 drive, while my Music & Videos are in another drive

YamiYukiSenpai · July 1, 2024, 3:53am

Good news! We can disregard Tuxedo OS as a variable, as my ThinkPad X1 Yoga with single drive and more standard partition works perfectly fine.

sorry. I installed it while back, but I forgot about it as I haven’t used it actively in a few months,

Operating System: TUXEDO OS 3
KDE Plasma Version: 6.1.0
KDE Frameworks Version: 6.3.0
Qt Version: 6.7.0
Kernel Version: 6.5.0-10040-tuxedo (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-10510U CPU @ 1.80GHz
Memory: 15.3 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics
Manufacturer: LENOVO
Product Name: 20SA0002US
System Version: ThinkPad X1 Yoga 4th

$ snap version
snap    2.63+22.04
snapd   2.63+22.04
series  16
tuxedo  22.04
kernel  6.5.0-10040-tuxedo

YamiYukiSenpai · July 1, 2024, 5:27pm

I changed the default location of my Documents directory, but it’s still doing this:

Jul 01 13:26:01 systemd[5118]: Started Bitwarden - Password Manager.
Jul 01 13:26:01 systemd[5118]: Started snap.bitwarden.bitwarden-f6e8630f-7b5d-493b-87de-096463963ce7.scope.
Jul 01 13:26:01 audit[8975]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=8975 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 01 13:26:01 audit[8978]: AVC apparmor="DENIED" operation="rmdir" class="file" profile="snap.bitwarden.bitwarden" name="/media/DATA/WDB4TB/yamiyuki/Documents/" pid=8978 comm="rmdir" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

> cat .config/user-dirs.dirs 
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_DOWNLOAD_DIR="/media/DATA/WDB4TB/yamiyuki/Downloads"
XDG_MUSIC_DIR="/home/DATA/WDB8TB/yamiyuki/Music/"
XDG_PICTURES_DIR="/media/DATA/WDB4TB/yamiyuki/Pictures"
XDG_PUBLICSHARE_DIR="/media/DATA/WDB4TB/yamiyuki/Public"
XDG_TEMPLATES_DIR="/media/DATA/WDB4TB/yamiyuki/Templates"
XDG_VIDEOS_DIR="/home/DATA/WDB8TB/yamiyuki/Videos/"

any potential consequences when I do this? Would it move my ~/snap to my HDD?

Edit: I checked the confinement, and it looks “right”, I think:

> snap debug confinement
strict

> snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:domain:attach_conditions kernel:file kernel:io_uring kernel:ipc kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:policy:unconfined_restrictions kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:unconfined parser:unsafe parser:xdp policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v2 device-filtering tagging

YamiYukiSenpai · July 27, 2024, 8:34pm

Any way to just force AppArmor to disregard this:

Jul 27 16:32:05 audit[154085]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.armcord.armcord" name="/media/DATA/WDB4TB/yamiyuki/Downloads/" pid=154085 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 27 16:32:05 audit[154090]: AVC apparmor="DENIED" operation="rmdir" class="file" profile="snap.armcord.armcord" name="/media/DATA/WDB4TB/yamiyuki/Downloads/" pid=154090 comm="rmdir" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

Not even sure how it found that info when I’ve already override the default Documents, Downloads, etc.

FYI, I don’t wanna change the default home directory since it’s on the SSD, and I only want my documents, downloads, etc. to go to my HDDs.