Snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I installed pycharm-community on Ubuntu 16.04 using:

sudo snap install pycharm-community --classic

but every couple of days when I try to run pycharm I get the error:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I can get around it by re-installing snap and pycharm:

sudo apt purge snapd snap-confine && sudo apt install -y snapd
sudo snap install pycharm-community --classic

Is this a bug in snap? Is there a way to avoid this error message?

Yes. I believe @zyga-snapd is looking into this as there are other reports.

Rather than reinstalling, you should be able to work around this by performing:

$ sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

This will make snap-confine run ‘confined’ (until the bug pops up again).

2 Likes

I ran the command:

$ sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

but now trying to start pycharm gives the error:

$ pycharm-community
cannot change profile for the next exec call: No such file or directory

I seem to encounter this error every time I restart my machine.

Does running this make things start to work again:

$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*

No, I get the message:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

@zyga-snapd - do you have any ideas?

What is your snap version and what is shown by sudo cat /sys/kernel/security/apparmor/profiles?

$ snap version
snap 2.32.8
snapd 2.32.8
series 16
ubuntu 16.04
kernel 4.4.0-127-generic

$ sudo cat /sys/kernel/security/apparmor/profiles

This file is empty

Hi,

Your answer is worked to me. Thanks. Is it safe to run that command for the snap itself or for my machine? What actually did it done?