Snap-confine has elevated permissions error

luciadecastro · October 6, 2017, 5:34pm

Hi,

I’m seeing this error whenever I try to run a snap, despite attempts to reinstall snapd:
“snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks”

Any ideas?

luciadecastro@sebastian:~$ sudo apt install --reinstall snapd
sudo: unable to resolve host sebastian
[sudo] password for luciadecastro:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
libllvm3.8 linux-headers-4.4.0-81 linux-headers-4.4.0-81-generic linux-headers-4.4.0-83
linux-headers-4.4.0-83-generic linux-headers-4.4.0-87 linux-headers-4.4.0-87-generic linux-headers-4.4.0-89
linux-headers-4.4.0-89-generic linux-headers-4.4.0-91 linux-headers-4.4.0-91-generic linux-headers-4.4.0-92
linux-headers-4.4.0-92-generic linux-headers-4.4.0-93 linux-headers-4.4.0-93-generic
linux-image-4.4.0-81-generic linux-image-4.4.0-83-generic linux-image-4.4.0-87-generic
linux-image-4.4.0-89-generic linux-image-4.4.0-91-generic linux-image-4.4.0-92-generic
linux-image-4.4.0-93-generic linux-image-extra-4.4.0-81-generic linux-image-extra-4.4.0-83-generic
linux-image-extra-4.4.0-87-generic linux-image-extra-4.4.0-89-generic linux-image-extra-4.4.0-91-generic
linux-image-extra-4.4.0-92-generic linux-image-extra-4.4.0-93-generic linux-signed-image-4.4.0-81-generic
linux-signed-image-4.4.0-83-generic linux-signed-image-4.4.0-87-generic linux-signed-image-4.4.0-89-generic
linux-signed-image-4.4.0-91-generic linux-signed-image-4.4.0-92-generic linux-signed-image-4.4.0-93-generic
Use ‘sudo apt autoremove’ to remove them.
0 to upgrade, 0 to newly install, 1 reinstalled, 0 to remove and 45 not to upgrade.
Need to get 10.7 MB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 snapd amd64 2.27.5 [10.7 MB]
Fetched 10.7 MB in 2s (4,215 kB/s)
(Reading database … 472617 files and directories currently installed.)
Preparing to unpack …/snapd_2.27.5_amd64.deb …
Warning: Stopping snapd.service, but it can still be activated by:
snapd.socket
Unpacking snapd (2.27.5) over (2.27.5) …
Processing triggers for man-db (2.7.5-1) …
Setting up snapd (2.27.5) …
luciadecastro@sebastian:~$ ls -la /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 81672 Aug 31 06:17 /usr/lib/snapd/snap-confine
luciadecastro@sebastian:~$ notes
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
luciadecastro@sebastian:~$ ls -la /usr/lib/snapd
total 37736
drwxr-xr-x 2 root root 4096 Oct 6 13:29 .
drwxr-xr-x 153 root root 12288 Sep 13 09:24 …
-rw-r–r-- 1 root root 4814 Aug 24 02:46 complete.sh
-rwxr-xr-x 1 root root 6243 Aug 24 02:46 etelpmoc.sh
-rw-r–r-- 1 root root 15 Aug 31 06:14 info
-rwsr-xr-x 1 root root 81672 Aug 31 06:17 snap-confine
-rwxr-xr-x 1 root root 20031344 Aug 31 06:17 snapd
-rwxr-xr-x 1 root root 2273 Aug 31 06:17 snapd.core-fixup.sh
-rwxr-xr-x 1 root root 39864 Aug 31 06:17 snap-discard-ns
-rwxr-xr-x 1 root root 5461304 Aug 31 06:17 snap-exec
-rwxr-xr-x 1 root root 3263832 Aug 31 06:17 snap-repair
-rwxr-xr-x 1 root root 3867256 Aug 31 06:17 snap-seccomp
-rwxr-xr-x 1 root root 4986008 Aug 31 06:17 snap-update-ns
-rwxr-xr-x 1 root root 852928 Aug 31 06:17 system-shutdown
luciadecastro@sebastian:~$ file /usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6f8ebeee19e88c2b883b1c6cb4b541601d58f6f8, stripped

niemeyer · October 6, 2017, 5:40pm

Can you please send the output of snap version?

@jdstrand That looks like something for you.

luciadecastro · October 6, 2017, 5:53pm

snap 2.27.6
snapd 2.27.6
series 16
ubuntu 16.04
kernel 4.8.1-040801-generic

jdstrand · October 6, 2017, 6:01pm

This is actually something that @zyga-snapd worked on, but I can say that this error indicates that the snap-confine profile is not loaded. It looks like you are running an Ubuntu system, but not an Ubuntu kernel (kernel 4.8.1-040801-generic). I suspect if you install an Ubuntu kernel (eg, linux-generic (4.4), linux-generic-hwe-16.04 (4.10) or linux-generic-hwe-16.04-edge (4.11)) and reboot, it will work.

zyga-snapd · October 6, 2017, 6:04pm

Yes, this looks quite like that.

@jdstrand does the ubuntu apparmor package skip profile loads on a kernel with incomplete feature set?

luciadecastro · October 6, 2017, 6:19pm

This worked!!! Super! Thank you very much.

niemeyer · October 6, 2017, 6:39pm

@jdstrand Thanks!

@luciadecastro Glad it’s now working. What kernel were you running before (where did you get it)? The information may be useful in the future while we try to solve similar issues.

jdstrand · October 6, 2017, 6:42pm

No. The parser will DTRT there. I suspected there was something else wrong with that kernel.

zyga-snapd · October 6, 2017, 6:43pm

Aha, good to know, thank you.

luciadecastro · October 9, 2017, 6:30pm

That’s a very good question. I installed Ubuntu on this laptop using a pen Rodney (from the London office) provided. Other than Rodney no one touched my laptop since I have it and I didn’t install any other kernel, so I’m unsure… Is there a command I can run to check that out?

niemeyer · October 16, 2017, 4:28pm

7 posts were split to a new topic: Issues with an unsupported kernel