Error with AppArmor on Ubuntu 22.04 LTS

alesagglo · August 31, 2023, 7:29am

Hi, i use Ubuntu 22.04.3 LTS and Xubuntu 22.04.3 LTS for desktop environment join to an AD domain. Since a couple of week, perhaps after an update, firefox and chromium doesn’t start. apparmor 3.0.4-2ubuntu2.2 amd64 AppArmor parser version 3.0.4

When i start firefox with the command line i see :

update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied cannot create user data directory: /home/<subfolder>/<home dir>/snap/firefox/3068: Permission denied

The command dpkg-reconfigure apparmor used to add the subfolder as been done many times with multiple reboot.

With aa-status command the folowing lines are missing for firefox : snap.firefox.firefox snap.firefox.geckodriver

I try to run apparmor_parser -r /var/lib/snapd/apparmor/profiles/* so i see that the line userns, throw an error in snap profile for firefox and chromium. I try to change to userns w,. The command works, firefox and chromium but after a reboot i have de re-run this command.

I try to add the following line in /etc/apparmor/parser.conf :

Include /var/lib/snapd/apparmor/profiles

but after a reboot, i have still the same problem

I try to uninstall and reinstall Snap and Apparmor, nothing better.

Did i miss something ?

A333 · August 31, 2023, 8:32am

nota bene: this is could be completely unrelated

The following is only relevant if snap info shows snapd 2.60.2 and snap debug sandbox-features includes parser:snapd-internal.

If your lxd is following latest/stable and it happened not before last week it might be due to a bug in snapd 2.60.2 . In that case, reverting the lxd snap to 2.60.1 or refresh to latest/candidate channel to get 2.60.3 might help

New bugfix release 2.60.3 includes the relevant fix: ‘Fix missing integration of the /etc/apparmor.d/tunables/home.d/ apparmor to support non-standard home directories’

from snap info lxd:

  latest/stable:    2.60.2                  2023-08-22 (19993) 42MB -
  latest/candidate: 2.60.3                  2023-08-31 (20092) 42MB -

and the related forum topic in the snapd category is:

alesagglo · August 31, 2023, 12:57pm

The informations are

snap info snapd
installed: 2.60.2 (19993) 42MB snapd

snap debug sandbox-features <br/> apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:ipc kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:snapd-internal parser:unsafe parser:userns parser:xdp policy:default support-level:full
confinement-options: classic devmode strict

alesagglo · September 1, 2023, 1:30pm

Hi, correct, upgrading to 2.60.3 solved the problem. Thanks a lot.