"snap-confine has elevated permissions" error on stock 19.10 USB live disk with persistent partition

snapd
1

I’m assisting my mum with trying out ubuntu 19.10 on an external USB stick that I made using Rufus configured with a persistent (casper-rw) partition.

Installing Skype works, running it works (albeit only when clicking the application icon, not the launch icon in the store), after rebooting the skype icon is still there, so persistence seems to work. So far so good.

But lauching Skype after the reboot fails:

snap-confine has elevated permissions and is not confined but should be.
Refusing to continue to avoid permission escalation attacks

I don’t understand what the system is trying to tell me.

Reproduction:

  • burn 19.10 ISO with Rufus
    • MBR
    • persistent partition size: 12GB (maximum allowed on a stick of 16GB)
  • boot
  • install Skype through store
  • launch Skype (does not work using the Store ‘launch’ button, works through the launchpad icon)
  • reboot
  • launch Skype (fails, always)
2

Version info. I don’t seem to be using an hwe kernel, could that be the reason?

$ snap version
snap 2.42
snapd 2.42
series 16
ubuntu 19.10
kernel 5.3.0-18-generic
3

How are the partitions setup? Is /var/lib/snapd setup to be on the persistent partition?

Also can you share snapd logs with journalctl --no-pager -e -u snapd ?

4

Not sure which mount output line might be relevant so I’m adding everything here

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=1923084k,nr_inodes=480771,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=393752k,mode=755)
/dev/sdb1 on /cdrom type vfat (ro,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/loop0 on /rofs type squashfs (ro,noatime)
/cow on / type overlay (rw,relatime,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15106)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
/var/lib/snapd/snaps/gnome-characters_317.snap on /snap/gnome-characters/317 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/skype_101.snap on /snap/skype/101 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/gnome-logs_81.snap on /snap/gnome-logs/81 type squashfs (ro,nodev,relatime,x-gdu.hide)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime)
/var/lib/snapd/snaps/core_7917.snap on /snap/core/7917 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/gnome-3-28-1804_71.snap on /snap/gnome-3-28-1804/71 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/core18_1223.snap on /snap/core18/1223 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/gtk-common-themes_1353.snap on /snap/gtk-common-themes/1353 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/gnome-calculator_501.snap on /snap/gnome-calculator/501 type squashfs (ro,nodev,relatime,x-gdu.hide)
tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=393748k,mode=700,uid=999,gid=999)
gvfsd-fuse on /run/user/999/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=999,group_id=999)
/dev/fuse on /run/user/999/doc type fuse (rw,nosuid,nodev,relatime,user_id=999,group_id=999)
/dev/sdb2 on /media/ubuntu/casper-rw type ext3 (rw,nosuid,nodev,relatime,uhelper=udisks2)

Here is the journalctl -eu snapd output

$ cat journalctl-eu-snapd.txt 
-- Logs begin at Tue 2019-11-26 14:21:55 CET, end at Tue 2019-11-26 15:21:57 CET. --
Nov 26 15:21:23 ubuntu systemd[1]: Starting Snappy daemon...
Nov 26 15:21:50 ubuntu snapd[1872]: AppArmor status: apparmor is enabled and all features are available
Nov 26 14:22:41 ubuntu snapd[1872]: AppArmor status: apparmor is enabled and all features are available
Nov 26 14:22:47 ubuntu snapd[1872]: daemon.go:346: started snapd/2.42 (series 16; classic) ubuntu/19.10 (amd64) linux/5.3.0-18-generic.
Nov 26 14:22:47 ubuntu snapd[1872]: daemon.go:439: adjusting startup timeout by 1m10s (pessimistic estimate of 30s plus 5s per snap)
Nov 26 14:22:48 ubuntu snapd[1872]: backend.go:128: snapd enabled root filesystem on overlay support, additional upperdir permissions granted
Nov 26 14:22:48 ubuntu systemd[1]: Started Snappy daemon.
Nov 26 14:22:50 ubuntu snapd[1872]: storehelpers.go:436: cannot refresh: snap has no updates available: "gnome-logs", "gtk-common-themes", "skype"

Does that help?