Hi,
I’m seeing this problem on Ubuntu 18.04 with kernel 4.18 and the workaround doesn’t seem to do anything for me.
> ls /etc/apparmor.d/*snap-confine*
/etc/apparmor.d/usr.lib.snapd.snap-confine.real
> tail /etc/apparmor.d/usr.lib.snapd.snap-confine.real
# from the core snap but we are already inside the constructed mount
# namespace. Here the apparmor kernel module re-constructs the path to
# snap-update-ns using the "hostfs" mount entry rather than the more
# "natural" /snap mount entry but we have no control over that. This is
# reported as (LP: #1716339). The variants here represent different
# locations of snap mount directory across distributions.
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
ptrace read peer=unconfined,
}
> sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
> gnome-calculator
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
> dmesg | grep DENIED
[ 28.836643] audit: type=1400 audit(1534247507.507:50): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=1759 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 29.030691] audit: type=1400 audit(1534247507.699:51): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=1892 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 29.230245] audit: type=1400 audit(1534247507.899:53): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2040 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 29.404266] audit: type=1400 audit(1534247508.075:54): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2165 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 29.665339] audit: type=1400 audit(1534247508.335:55): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2228 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 33.802955] audit: type=1400 audit(1534247512.471:56): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2670 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 39.115107] audit: type=1400 audit(1534247517.783:57): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2958 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 41.458075] audit: type=1400 audit(1534247520.127:58): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=3020 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 94.297198] audit: type=1400 audit(1534247572.951:59): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=3238 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9039.010150] audit: type=1400 audit(1534256517.733:64): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19462 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9058.478617] audit: type=1400 audit(1534256537.201:65): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19816 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9083.475983] audit: type=1400 audit(1534256562.197:66): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19924 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9113.703202] audit: type=1400 audit(1534256592.425:67): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19968 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10614.319740] audit: type=1400 audit(1534258093.050:70): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=21750 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10637.672492] audit: type=1400 audit(1534258116.406:71): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=21872 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10862.835626] audit: type=1400 audit(1534258341.566:74): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22062 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[11041.500133] audit: type=1400 audit(1534258520.235:75): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22154 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[11752.936363] audit: type=1400 audit(1534259231.670:80): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22689 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[70917.166364] audit: type=1400 audit(1534318396.649:81): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=27267 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[78768.839106] audit: type=1400 audit(1534326247.974:84): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=30089 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
Any ideas on why it still doesn’t work?