Hello,
I have a snap that has base core18, confinement strict, using the glib-only desktop helper.
The app has the following plugs enabled:
- desktop
- desktop-legacy
- x11
- opengl
- network
Until some days ago, the snap was running with no issues. However, now it is unable to start and I see the following errors in the journal:
Aug 09 11:28:05 aston-Xubuntu audit[22858]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/Documents/" pid=22858 comm=“head” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.491:182): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/Documents/" pid=22858 comm=“head” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/mountinfo" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu audit[22768]: AVC apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:183): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/mountinfo" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:184): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:185): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/proc/22768/coredump_filter" pid=22768 comm=“rust-keylock-ui” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
Aug 09 11:28:05 aston-Xubuntu kernel: audit: type=1400 audit(1565339285.507:186): apparmor=“DENIED” operation=“open” profile=“snap.rust-keylock-ui.rust-keylock-ui” name="/home/aston/" pid=22768 comm=“rust-keylock-ui” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
I have noticed that in the snap home directory there are links to the actual home:
for example:
ls -la ~/snap/rust-keylock-ui/current/.config/gtk-2.0/gtkfilechooser.ini
returns
lrwxrwxrwx 1 aston aston 49 Aug 9 09:35 /home/aston/snap/rust-keylock-ui/current/.config/gtk-2.0/gtkfilechooser.ini -> /home/aston/.config/gtk-2.0/gtkfilechooser.ini
Can this be an issue?
Do I need some additional configuration in my snap to keep the apparmor happy?
Here is the snapcraft.yaml for reference.