Cannot create lock directory /run/snapd/lock: Permission denied

snapd
1

Hi,
Trying to setup a 64bit kali 2019 distribution with the same snap installs as 32bit can handle. Snap packages install fine. But upon running a snap package (no matter which, thunderbird, youtube-dl, couple others) the following error presents:

cannot create lock directory /run/snapd/lock: Permission denied

same exact error for all snaps.

~# snap version
snap 2.44.3
snapd 2.44.3
series 16
kali 2019.4
kernel 5.3.0-kali2-amd64

~#uname -r
5.3.0-kali2-amd64

~# gnome-shell --version
GNOME Shell 3.34.1

~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2019.4
Codename: kali-rolling

~# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 36 bits physical, 48 bits virtual
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 2
Core(s) per socket: 2
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 42
Model name: Intel® Core™ i5-2520M CPU @ 2.50GHz
Stepping: 7
CPU MHz: 969.039
CPU max MHz: 3200.0000
CPU min MHz: 800.0000
BogoMIPS: 4988.38
Virtualization: VT-x

~# snap list

Name               Version                     Rev   Tracking       Publisher    Notes
core               16-2.44.3                   9066  latest/stable  canonical✓   core
core18             20200427                    1754  latest/stable  canonical✓   base
gnome-3-28-1804    3.28.0-16-g27c9498.27c9498  116   latest/stable  canonical✓   -
gtk-common-themes  0.1-36-gc75f853             1506  latest/stable  canonical✓   -
thunderbird        68.8.0                      58    latest/beta    ken-vandine  -
youtube-dl         2020.03.24+git6d29af9       2840  latest/stable  joeborg      -

~#snap changes

ID   Status  Spawn               Ready               Summary
9    Done    today at 14:37 EDT  today at 14:38 EDT  Install "thunderbird" snap from "beta" channel
10   Done    today at 16:49 EDT  today at 16:49 EDT  Remove "youtube-dl-casept" snap

~# snap connections

Interface                 Plug                         Slot                             Notes
browser-support           thunderbird:browser-sandbox  :browser-support                 -
content[gnome-3-28-1804]  thunderbird:gnome-3-28-1804  gnome-3-28-1804:gnome-3-28-1804  -
content[gtk-3-themes]     thunderbird:gtk-3-themes     gtk-common-themes:gtk-3-themes   -
content[icon-themes]      thunderbird:icon-themes      gtk-common-themes:icon-themes    -
content[sound-themes]     thunderbird:sound-themes     gtk-common-themes:sound-themes   -
desktop                   thunderbird:desktop          :desktop                         -
desktop-legacy            thunderbird:desktop-legacy   :desktop-legacy                  -
gsettings                 thunderbird:gsettings        :gsettings                       -
home                      thunderbird:home             :home                            -
home                      youtube-dl:home              :home                            -
network                   thunderbird:network          :network                         -
network                   youtube-dl:network           :network                         -
opengl                    thunderbird:opengl           :opengl                          -
opengl                    youtube-dl:opengl            :opengl                          -
unity7                    thunderbird:unity7           :unity7                          -
x11                       thunderbird:x11              :x11

~# dmesg | grep denied

[83689.259221] audit: type=1400 audit(1590259176.332:10): apparmor="DENIED" operation="open" profile="/snap/core/9066/usr/lib/snapd/snap-confine" name="/rw/" pid=81454 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[85760.278470] audit: type=1400 audit(1590261247.352:11): apparmor="DENIED" operation="open" profile="/snap/core/9066/usr/lib/snapd/snap-confine" name="/rw/" pid=83778 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[91378.003513] audit: type=1400 audit(1590266865.076:12): apparmor="DENIED" operation="open" profile="/snap/core/9066/usr/lib/snapd/snap-confine" name="/rw/" pid=90418 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[91414.877259] audit: type=1400 audit(1590266901.952:13): apparmor="DENIED" operation="open" profile="/snap/core/9066/usr/lib/snapd/snap-confine" name="/rw/" pid=90476 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

~# systemctl status snapd

● snapd.service - Snap Daemon
   Loaded: loaded (/lib/systemd/system/snapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-05-23 15:13:59 EDT; 2h 11min ago
 Main PID: 83726 (snapd)
    Tasks: 18 (limit: 9263)
   Memory: 30.0M
   CGroup: /system.slice/snapd.service
           └─83726 /usr/lib/snapd/snapd

May 23 15:13:58 ilak systemd[1]: Starting Snap Daemon...
May 23 15:13:58 ilak snapd[83726]: AppArmor status: apparmor is enabled but some kernel features are missi>
May 23 15:13:59 ilak snapd[83726]: AppArmor status: apparmor is enabled but some kernel features are missi>
May 23 15:13:59 ilak snapd[83726]: daemon.go:343: started snapd/2.44.3 (series 16; classic; devmode) kali/>
May 23 15:13:59 ilak snapd[83726]: daemon.go:436: adjusting startup timeout by 1m5s (pessimistic estimate >
May 23 15:13:59 ilak snapd[83726]: backend.go:134: snapd enabled root filesystem on overlay support, addit>
May 23 15:13:59 ilak systemd[1]: Started Snap Daemon.

~# lsblk | grep loop

loop0    7:0    0   2.4G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
loop1    7:1    0  93.9M  1 loop /snap/core/9066
loop2    7:2    0    55M  1 loop /snap/core18/1754
loop3    7:3    0  91.1M  1 loop /snap/youtube-dl/2840
loop4    7:4    0    20K  1 loop /snap/hello-world/29
loop5    7:5    0 101.9M  1 loop /snap/thunderbird/58
loop6    7:6    0 160.2M  1 loop /snap/gnome-3-28-1804/116
loop7    7:7    0  62.1M  1 loop /snap/gtk-common-themes/1506

~#cat /proc/cpuinfo

processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel® Core™ i5-2520M CPU @ 2.50GHz
stepping : 7
microcode : 0x2f
cpu MHz : 1435.255
cache size : 3072 KB

_________________________________________

~# thunderbird
cannot create lock directory /run/snapd/lock: Permission denied

~# youtube-dl
cannot create lock directory /run/snapd/lock: Permission denied

Tried Solutions:
1)systemctl stop snapd.service -> systemctl start snapd.service

2)tried to follow [Solved] “Permission denied” in general | Ubuntu 19.10 | snap 2.42.5 but
a) ~# dpkg -S snap > in a pastebin
b) root@ilak:~# mv /etc/apparmor.d/snap ~/mysterious.snap
mv: cannot stat ‘/etc/apparmor.d/snap’: No such file or directory
c)~# mv /etc/apparmor.d/usr.bin.snap ~/mysterious.user.bin.snap
mv: cannot stat ‘/etc/apparmor.d/usr.bin.snap’: No such file or directory
d)~# dpkg -S /etc/apparmor.d/snap
dpkg-query: no path found matching pattern /etc/apparmor.d/snap


3)https:// forum.snapcraft. io/t/test-failures-with-cannot-create-lock-directory-run-snapd-lock/390/29

apparmor_parser --replace --write-cache /etc/apparmor.d/usr.lib.snapd.snap-confine.real --cache-loc /etc/apparmor.d/cache

4) Read [Trying to run any snap apps](https://forum.snapcraft.io/t/trying-to-run-any-snap-apps/9927) could 32bit persistent live mount systems work with snapd while 64bit do not?

Any suggestions appreciated, kind of out of ideas…

2

This is suspicious for snap-confine to be trying to read. Does your installation use overlayfs for the “/” mount with the upper dir of “/rw/” perhaps? What’s the output of findmnt, or if that’s not available cat /proc/self/mountinfo ?

3

Hi, thanks for looking into this
/ is rw overlay
output of # findmnt in pastebin below

Why does rw overlay not effect 32bit but breaks in 64bit ? Or is it likely the customization needed for 64bit i.e. try different desktop environment or different os ?

4

Update 6/2/2020
Uninstalled and re-installed and got hello-world! to work. So i went deeper in the rabbit hole, found and tried:

  1. sudo dpkg --configure -a
    from launch pad snappy bug# 1693037

  2. sudo apparmor_parser --replace --write-cache /etc/apparmor.d/usr.lib.snapd.snap-confine.real --cache-loc /etc/apparmor.d/cache
    from https://askubuntu.com/questions/989389/cannot-run-snap-app

  3. found # re mount -t overlay -o “upperdir=$tmpfs/up,lowerdir=$src,workdir=$tmpfs/work” overlay “$dst”
    from: Snaps don't run in the new LTSP
    …i’m holding off on trying this fix until i understand how it works or someone advises it is likely the fix needed for the original
    -cannot create lock directory /run/snapd/lock issue posted

(fix #3 looks like it could break the system if applied inappropriately …usually unix/linux has a risky complex route and a simpler basic logic route…)

It is difficult to imagine the root overlay system alone is at fault. Snaps work fine for 32 bit on the same desktop environment, same distributions and machines, same root overlay persistence setup. It is as if snapd needs access that the 64bit architecture is not allowing. (chmod to the /snapd/lock file has no effect)

5

What is the version of the snapd classic package on the host? Can you ask apt-cache policy snapd

6

Hi
#apt-cache policy snapd

snapd:
Installed: 2.44.1-2
Candidate: 2.44.1-2
Version table:
*** 2.44.1-2 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
100 /var/lib/dpkg/status

7

snapd works on 32bit i386 so i spun up a 32bit vm and ran it on a 64bit host - installed snapd on 32bit vm…and exact same issue as presented. But this 32bit image DOES run snapd perfectly if used as a live cd or installed on hd as 32bit os.

apparently this is not an application layer issue. Generally most applications/services remain isolated to vm - in this case it seems snapd is not remaining isolated to vm for its functionality.

kind of curious what kind of issue escapes out of a qemu vm to depend on the 64bit host to run??