Apologies if this has been posted before, I had a look but only spotted problems with older kernels.
I’m seeing failures on all my Kubuntu 17.10 boxes when trying to run any snaps…
$ uname -a
Linux hostname 4.13.0-45-generic #50-Ubuntu SMP Wed May 30 08:23:18 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ snap list
Name Version Rev Tracking Developer Notes
core 16-2.32.8 4650 stable canonical core
…
$ spotify
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
$ gotop
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
$ tldr
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
…
@zyga-snapd, it seems like snap-confine needs to now have ‘capability sys_ptrace,’. This is not surprising as the ptrace capability is overloaded (see ‘man capabilities’, but that list is incomplete).
OK provided I did that correctly I have a new error…
Jun 14 15:31:32 hostname kernel: audit: type=1400 audit(1528986692.478:56): apparmor=“DENIED” operation=“ptrace” profile="/usr/lib/snapd/snap-confine" pid=11188 comm=“snap-confine” requested_mask=“trace” denied_mask=“trace” peer=“unconfined”
I’m not skilled with apparmor but I guess I need to add operation ptrace in that same file. Let me try.
@zyga-snapd - it could be a kernel regression or an intentional change in the kernel. It isn’t clear from https://launchpad.net/ubuntu/+source/linux/4.13.0-45.50 but the point is, I’m not surprised that sys_ptrace is needed for that readlinkat and so the change is good on its own merits.
I bet you are running with a very old apparmor profile for snap-confine. I’m also surprised you are not using snapd re-execution (where snapd uses core snap to update itself).
When snapd.deb was updated, did you choose to keep existing “conf file” in /etc/apparmor.d? If so that would explain a lot of the errors you are seeing.
# support for the mount namespace sharing
capability sys_ptrace,
# allow snap-confine to read /proc/1/ns/mnt
ptrace trace peer=unconfined,
...
# support for locking
/run/snapd/lock/ rw,
/run/snapd/lock/*.lock rwk,