Snap applications not launching due to a snap-confine elevated permissions issue

brianjohnsen · July 22, 2020, 10:14am

I’m running on a fairly new (clean install, two weeks ago) Ubuntu 20.04.
After my last apt update none of the snap-installed applications will start, but fails with the following error:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I have tried several suggestions from this forum, over the last couple of years, but nothing seems to work.
Among others:

I really hope someone can spread some light on the issue?

The following is (hopefully) relevant output.

Output from snap version:

snap    2.45.2
snapd   2.45.2
series  16
ubuntu  20.04
kernel  5.4.0-42-generic

Output from snap debug confinement:

strict

Output from snap debug sandbox-features:

apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

Output from snap debug confinement:

● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Wed 2020-07-22 11:22:54 CEST; 38min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 1174 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 1174 (code=exited, status=0/SUCCESS)

Output from sudo cat /sys/kernel/security/apparmor/profiles:

docker-default (enforce)
snap.firefox.firefox (enforce)
snap-update-ns.opera (enforce)
snap.spotify.spotify (enforce)
snap.opera.opera (enforce)
snap-update-ns.dbeaver-ce (enforce)
snap-update-ns.snap-store (enforce)
snap.snap-store.ubuntu-software-local-file (enforce)
snap.postman.postman (enforce)
snap.snap-store.snap-store (enforce)
snap.wormhole.wormhole (enforce)
snap-update-ns.firefox (enforce)
snap.snap-store.ubuntu-software (enforce)
snap.sublime-text.subl (complain)
/snap/core/9665/usr/lib/snapd/snap-confine (enforce)
/snap/core/9665/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
/snap/snapd/8140/usr/lib/snapd/snap-confine (enforce)
/snap/snapd/8140/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
snap.dbeaver-ce.dbeaver-ce (enforce)
snap.slack.slack (complain)
snap.core.hook.configure (enforce)
snap.intellij-idea-ultimate.intellij-idea-ultimate (complain)
snap.fwupd.hook.install (complain)
snap.fwupd.hook.remove (complain)
snap.fwupd.fwupdtpmevlog (complain)
snap.fwupd.fwupdagent (complain)
snap.fwupd.fwupdtool (complain)
snap.fwupd.fwupdmgr (complain)
snap.fwupd.dfu-tool (complain)
snap.fwupd.fwupd (complain)
snap-update-ns.slack (enforce)
snap-update-ns.wormhole (enforce)
snap-update-ns.sublime-text (enforce)
snap-update-ns.postman (enforce)
snap-update-ns.intellij-idea-ultimate (enforce)
snap-update-ns.spotify (enforce)
snap-update-ns.fwupd (enforce)
snap-update-ns.core (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince-previewer//sanitized_helper (enforce)
/usr/bin/evince (enforce)
/usr/bin/evince//sanitized_helper (enforce)
libreoffice-soffice (complain)
libreoffice-soffice//gpg (enforce)
/usr/sbin/cupsd (enforce)
/usr/sbin/cupsd//third_party (enforce)
/usr/lib/cups/backend/cups-pdf (enforce)
/{,usr/}sbin/dhclient (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-helper (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
ippusbxd (enforce)
/usr/sbin/cups-browsed (enforce)
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
nvidia_modprobe (enforce)
nvidia_modprobe//kmod (enforce)
/usr/lib/snapd/snap-confine (enforce)
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
man_groff (enforce)
man_filter (enforce)
/usr/bin/man (enforce)
libreoffice-oopslash (complain)
lsb_release (enforce)
libreoffice-xpdfimport (enforce)
libreoffice-senddoc (enforce)

Additionally, I’ve also run the following commands:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

ijohnson · July 22, 2020, 12:16pm

What is the output of running SNAP_CONFINE_DEBUG=1 snap run hello-world for you ?

brianjohnsen · July 22, 2020, 3:21pm

Output from running SNAP_CONFINE_DEBUG=1 snap run hello-world:

DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: unconfined
DEBUG: apparmor mode is: (null)
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

ijohnson · July 22, 2020, 4:52pm

this happens from aa_getcon and as per the man page, a NULL mode means unconfined.

Probably what is happening here is that for whatever reason the deb package of snapd is not working, as this line:

and this line:

mean that where you are running snap-confine from (the deb package of snapd directly, not the core snap or the snapd snap), you do not have a snap-confine profile loaded for it. That would need /usr/lib/snapd/snap-exec (enforce) to show up from aa-status, which you do not have. Although you do have /snap/core/9665/usr/lib/snapd/snap-confine (enforce) and /snap/snapd/8140/usr/lib/snapd/snap-confine which would be enforcing this if your system had re-exec’d from the deb package to the snapd or core snaps, which for some reason it didn’t.

What do snap list and apt show snapd 2>/dev/null | grep Version return on your system?

brianjohnsen · July 23, 2020, 4:48am

Thank you so much for helping, Ian!

Output from snap list:

Name                    Version                     Rev   Tracking         Publisher        Notes
chromium-ffmpeg         0.1                         15    latest/stable    canonical*       -
core                    16-2.45.2                   9665  latest/stable    canonical*       core
core18                  20200707                    1880  latest/stable    canonical*       base
dbeaver-ce              7.1.0.202005311732          60    latest/stable    dbeaver-corp     -
firefox                 78.0.1-1                    387   latest/stable    mozilla*         -
fwupd                   1.4.4                       2164  latest/stable    richard-hughes   classic
gnome-3-28-1804         3.28.0-17-gde3d74c.de3d74c  128   latest/stable    canonical*       -
gnome-3-34-1804         0+git.3009fc7               36    latest/stable/…  canonical*       -
gtk-common-themes       0.1-36-gc75f853             1506  latest/stable/…  canonical*       -
hello-world             6.4                         29    latest/stable    canonical*       -
intellij-idea-ultimate  2020.1.2                    228   latest/stable    jetbrains*       classic
opera                   69.0.3686.49                80    latest/stable    opera-software*  -
postman                 7.27.1                      116   latest/stable    postman-inc*     -
slack                   4.7.0                       25    latest/stable    slack*           classic
snap-store              3.36.0-80-g208fd61          467   latest/stable/…  canonical*       -
snapd                   2.45.1                      8140  latest/stable    canonical*       snapd
spotify                 1.1.26.501.gbe11e53b-15     41    latest/stable    spotify*         -
sublime-text            3211                        85    latest/stable    snapcrafters     classic
wormhole                0.11.2                      112   latest/stable    snapcrafters     -

Output from apt show snapd 2>/dev/null | grep Version:

Version: 2.45.1+20.04.2

ijohnson · July 23, 2020, 12:56pm

So it does seem that you have a snapd deb which is higher in version than the core snap, and the core snap is higher than the snapd snap, so you do not have re-exec on this system, which means there is an issue with the deb package not installing the apparmor profile for it’s version of snap-confine.

Try running sudo apt install --reinstall snapd, this will not remove any of your snap applications, but hopefully that will install the snap-confine apparmor profile from the deb.

brianjohnsen · July 23, 2020, 4:02pm

Your magic and a teeny-weeny reboot, and everything is working again! Thanks for your help - and accompanying explanations - I owe you a beer mate