I’m running on a fairly new (clean install, two weeks ago) Ubuntu 20.04.
After my last apt update
none of the snap-installed applications will start, but fails with the following error:
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
I have tried several suggestions from this forum, over the last couple of years, but nothing seems to work.
Among others:
- snap-confine-has-elevated-permissions-and-is-not-confined-but-should-be-refusing-to-continue-to-avoid-permission-escalation-attacks
- solved-snap-application-not-launching-due-to-a-snap-confine-permissions-issue
I really hope someone can spread some light on the issue?
The following is (hopefully) relevant output.
Output from snap version
:
snap 2.45.2
snapd 2.45.2
series 16
ubuntu 20.04
kernel 5.4.0-42-generic
Output from snap debug confinement
:
strict
Output from snap debug sandbox-features
:
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
Output from snap debug confinement
:
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2020-07-22 11:22:54 CEST; 38min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 1174 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 1174 (code=exited, status=0/SUCCESS)
Output from sudo cat /sys/kernel/security/apparmor/profiles
:
docker-default (enforce)
snap.firefox.firefox (enforce)
snap-update-ns.opera (enforce)
snap.spotify.spotify (enforce)
snap.opera.opera (enforce)
snap-update-ns.dbeaver-ce (enforce)
snap-update-ns.snap-store (enforce)
snap.snap-store.ubuntu-software-local-file (enforce)
snap.postman.postman (enforce)
snap.snap-store.snap-store (enforce)
snap.wormhole.wormhole (enforce)
snap-update-ns.firefox (enforce)
snap.snap-store.ubuntu-software (enforce)
snap.sublime-text.subl (complain)
/snap/core/9665/usr/lib/snapd/snap-confine (enforce)
/snap/core/9665/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
/snap/snapd/8140/usr/lib/snapd/snap-confine (enforce)
/snap/snapd/8140/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
snap.dbeaver-ce.dbeaver-ce (enforce)
snap.slack.slack (complain)
snap.core.hook.configure (enforce)
snap.intellij-idea-ultimate.intellij-idea-ultimate (complain)
snap.fwupd.hook.install (complain)
snap.fwupd.hook.remove (complain)
snap.fwupd.fwupdtpmevlog (complain)
snap.fwupd.fwupdagent (complain)
snap.fwupd.fwupdtool (complain)
snap.fwupd.fwupdmgr (complain)
snap.fwupd.dfu-tool (complain)
snap.fwupd.fwupd (complain)
snap-update-ns.slack (enforce)
snap-update-ns.wormhole (enforce)
snap-update-ns.sublime-text (enforce)
snap-update-ns.postman (enforce)
snap-update-ns.intellij-idea-ultimate (enforce)
snap-update-ns.spotify (enforce)
snap-update-ns.fwupd (enforce)
snap-update-ns.core (enforce)
/usr/bin/evince-thumbnailer (enforce)
/usr/bin/evince-previewer (enforce)
/usr/bin/evince-previewer//sanitized_helper (enforce)
/usr/bin/evince (enforce)
/usr/bin/evince//sanitized_helper (enforce)
libreoffice-soffice (complain)
libreoffice-soffice//gpg (enforce)
/usr/sbin/cupsd (enforce)
/usr/sbin/cupsd//third_party (enforce)
/usr/lib/cups/backend/cups-pdf (enforce)
/{,usr/}sbin/dhclient (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-helper (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
ippusbxd (enforce)
/usr/sbin/cups-browsed (enforce)
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
nvidia_modprobe (enforce)
nvidia_modprobe//kmod (enforce)
/usr/lib/snapd/snap-confine (enforce)
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
man_groff (enforce)
man_filter (enforce)
/usr/bin/man (enforce)
libreoffice-oopslash (complain)
lsb_release (enforce)
libreoffice-xpdfimport (enforce)
libreoffice-senddoc (enforce)
Additionally, I’ve also run the following commands:
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*