Snap freezes after update to Ubuntu 22.04

snapd
1

After I did an upgrade from Ubuntu 20.04 to Ubuntu 22.04 I’ve noticed that my chromium-browser doesn’t start anymore. I’ve stared investigation and debugging and I narrowed it down that all snap application has just stopped working. I tried to remove all, but now I cannot even install chromium anymore, cause of the hooks invoked during the snap installation. The version reported to me is

$ snap --version
snap    2.56.2+22.04ubuntu1
snapd   2.56.2+22.04ubuntu1
series  16
ubuntu  22.04
kernel  5.15.0-46-generic

The only suspicious log from dmesg is:

[Mon Aug 22 15:57:30 2022] audit: type=1400 audit(1661198247.850:679): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=1244425 comm="snap-confine" capability=4  capname="fsetid"

But even if I add that capability in the snap-confine profile and the error is not shown anymore the problem persists (I’ve found on the forums that this error can be ignored anyway).

Please, help cause I don’t have any idea what to debug or try anymore.

I’m currently testing with hello-work with debug options:

$ SNAPD_DEBUG=1 snap run hello-world
2022/08/22 15:57:27.537505 tool_linux.go:93: DEBUG: snap (at "/snap/snapd/current") is older ("2.56.2") than distribution package ("2.56.2+22.04ubuntu1")
2022/08/22 15:57:27.545386 cmd_run.go:1035: DEBUG: executing snap-confine from /usr/lib/snapd/snap-confine
2022/08/22 15:57:27.546849 cmd_run.go:438: DEBUG: SELinux not enabled
2022/08/22 15:57:27.546908 tracking.go:46: DEBUG: creating transient scope snap.hello-world.hello-world
2022/08/22 15:57:27.547952 tracking.go:186: DEBUG: using session bus
2022/08/22 15:57:27.550386 tracking.go:319: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/20480
2022/08/22 15:57:27.552285 tracking.go:419: DEBUG: job result is "done"
2022/08/22 15:57:27.552299 tracking.go:426: DEBUG: transient scope snap.hello-world.hello-world.3b6af5b2-24e5-4660-93e8-32ee6785caf9.scope created
2022/08/22 15:57:27.662111 tracking.go:146: DEBUG: waited 114.046751ms for tracking
2022/08/22 15:57:27.662141 tracking.go:148: DEBUG: systemd could not associate process 1244425 with transient scope snap.hello-world.hello-world.3b6af5b2-24e5-4660-93e8-32ee6785caf9.scope
2022/08/22 15:57:27.662154 cmd_run.go:1222: DEBUG: snapd cannot track the started application
2022/08/22 15:57:27.662167 cmd_run.go:1223: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/hello-world.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope hello-world, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: hello-world
DEBUG: setting up device cgroup
DEBUG: libudev has current tags support
DEBUG: no devices tagged with snap_hello-world_hello-world, skipping device cgroup setup
DEBUG: forked support process 1244445
DEBUG: unsharing the mount namespace (per-snap)
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: scratch directory for constructing namespace: /tmp/snap.rootfs_dcRMZa
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening file describing nvidia driver version
DEBUG: looking for nvidia canary file /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: nvidia library detected at path /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libEGL_nvidia.so.0 -> libEGL_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libEGL_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libEGL_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv1_CM_nvidia.so.1 -> libGLESv1_CM_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv1_CM_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv1_CM_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv2_nvidia.so.2 -> libGLESv2_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv2_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv2_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX_nvidia.so.0 -> libGLX_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLX_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-cfg.so -> libnvidia-cfg.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-cfg.so.1 -> libnvidia-cfg.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-cfg.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-cfg.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-compiler.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-compiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-eglcore.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-eglcore.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-egl-wayland.so.1 -> libnvidia-egl-wayland.so.1.1.9
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-egl-wayland.so.1.1.9 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-egl-wayland.so.1.1.9
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-encode.so -> libnvidia-encode.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-encode.so.1 -> libnvidia-encode.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-encode.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-encode.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-fbc.so -> libnvidia-fbc.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-fbc.so.1 -> libnvidia-fbc.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-fbc.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-fbc.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-glcore.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-glsi.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-glsi.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-glvkspirv.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-glvkspirv.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ml.so -> libnvidia-ml.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ml.so.1 -> libnvidia-ml.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ml.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-ml.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-opencl.so.1 -> libnvidia-opencl.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-opencl.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-opencl.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-opticalflow.so -> libnvidia-opticalflow.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-opticalflow.so.1 -> libnvidia-opticalflow.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-opticalflow.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-opticalflow.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so -> libnvidia-ptxjitcompiler.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so.1 -> libnvidia-ptxjitcompiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-ptxjitcompiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-rtcore.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-rtcore.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvidia-tls.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-tls.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvoptix.so.1 -> libnvoptix.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvoptix.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvoptix.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so -> libvdpau_nvidia.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so.1 -> libvdpau_nvidia.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/vdpau/libvdpau_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libcuda.so -> libcuda.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libcuda.so.1 -> libcuda.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libcuda.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libcuda.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvcuvid.so -> libnvcuvid.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvcuvid.so.1 -> libnvcuvid.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libnvcuvid.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvcuvid.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libEGL.so -> libEGL.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libEGL.so.1 -> libEGL.so.1.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libEGL.so.1.1.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libEGL.so.1.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGL.so -> libGL.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGL.so.1 -> libGL.so.1.7.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGL.so.1.7.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGL.so.1.7.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libOpenGL.so.0 -> libOpenGL.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libOpenGL.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libOpenGL.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv2.so.2 -> libGLESv2.so.2.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLESv2.so.2.1.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv2.so.2.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX_indirect.so.0 -> libGLX_mesa.so.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX.so -> libGLX.so.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX.so.0 -> libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLX.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLdispatch.so.0 -> libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLdispatch.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLU.so -> libGLU.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLU.so.1 -> libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl/libGLU.so.1.3.1 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLU.so.1.3.1
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl
DEBUG: opening file describing nvidia driver version
DEBUG: looking for nvidia canary file /usr/lib/i386-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: nvidia library detected at path /usr/lib/i386-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libEGL_nvidia.so.0 -> libEGL_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libEGL_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libEGL_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLESv1_CM_nvidia.so.1 -> libGLESv1_CM_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLESv1_CM_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLESv1_CM_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLESv2_nvidia.so.2 -> libGLESv2_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLESv2_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLESv2_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLX_nvidia.so.0 -> libGLX_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLX_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLX_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-compiler.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-compiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-eglcore.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-eglcore.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-encode.so -> libnvidia-encode.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-encode.so.1 -> libnvidia-encode.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-encode.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-encode.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-fbc.so -> libnvidia-fbc.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-fbc.so.1 -> libnvidia-fbc.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-fbc.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-fbc.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-glcore.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-glcore.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-glsi.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-glsi.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-glvkspirv.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-glvkspirv.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ml.so -> libnvidia-ml.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ml.so.1 -> libnvidia-ml.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ml.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-ml.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-opencl.so.1 -> libnvidia-opencl.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-opencl.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-opencl.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-opticalflow.so -> libnvidia-opticalflow.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-opticalflow.so.1 -> libnvidia-opticalflow.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-opticalflow.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-opticalflow.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so -> libnvidia-ptxjitcompiler.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so.1 -> libnvidia-ptxjitcompiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-ptxjitcompiler.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvidia-tls.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-tls.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so -> libvdpau_nvidia.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so.1 -> libvdpau_nvidia.so.515.65.01
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/vdpau/libvdpau_nvidia.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libcuda.so -> libcuda.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libcuda.so.1 -> libcuda.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libcuda.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libcuda.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvcuvid.so -> libnvcuvid.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvcuvid.so.1 -> libnvcuvid.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libnvcuvid.so.515.65.01 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvcuvid.so.515.65.01
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libEGL.so.1 -> libEGL.so.1.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libEGL.so.1.1.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libEGL.so.1.1.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGL.so.1 -> libGL.so.1.7.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGL.so.1.7.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGL.so.1.7.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLX_indirect.so.0 -> libGLX_mesa.so.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLX.so.0 -> libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLX.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLdispatch.so.0 -> libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32/libGLdispatch.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLdispatch.so.0.0.0
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/gl32
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/vulkan
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/vulkan/icd.d/nvidia_icd.json -> /var/lib/snapd/hostfs/usr/share/vulkan/icd.d/nvidia_icd.json
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/vulkan
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/glvnd
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/glvnd/egl_vendor.d/10_nvidia.json -> /var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/10_nvidia.json
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_dcRMZa/var/lib/snapd/lib/glvnd
DEBUG: performing operation: pivot_root /tmp/snap.rootfs_dcRMZa /tmp/snap.rootfs_dcRMZa//var/lib/snapd/hostfs
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: rmdir /var/lib/snapd/hostfs//tmp/snap.rootfs_dcRMZa
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.hello-world
common.go:60: DEBUG: locking mount namespace of snap "hello-world"
common.go:81: DEBUG: freezing processes of snap "hello-world"
2

Anyone? Please! I don’t want to go through the road of removing snapd completely and looking for alternatives as it is suggested by default from Ubuntu

3

Hi lukav, it appears to me that apparmor is affecting your snap(s). This is something new in Ubuntu 22.04 LTS. I’ve also had many messages from apparmor since I upgraded to 22.04. You should use the apparmor tools to identify what it may be doing. For example, you can use the commands:

> sudo aa-status # to find out what is set to complain mode,  enforce mode or unconfined.
> sudo aa-notify -l --verbose # to find out what problems apparmor is having.
> sudo less /var/log/audit/audit.log # to find even more details

I hope this helps!

4

Again. As far as I can see the only complain is about fsetid. Now I have given that capability to snap-confine, but the result is still the same. Here is the relevant data:

$ sudo aa-status
apparmor module is loaded.
71 profiles are loaded.
51 profiles are in enforce mode.
   /snap/core/13425/usr/lib/snapd/snap-confine
   /snap/core/13425/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/16292/usr/lib/snapd/snap-confine
   /snap/snapd/16292/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
...
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
...
   snap-update-ns.core
   snap-update-ns.hello-world
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
...
20 profiles are in complain mode.
...
0 profiles are in kill mode.
0 profiles are in unconfined mode.
13 processes have profiles defined.
8 processes are in enforce mode.
   /usr/lib/snapd/snap-confine (13945) 
   /usr/lib/snapd/snap-confine (13967) /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
...
   /usr/lib/snapd/snap-update-ns (13969) snap-update-ns.hello-world
...
5 processes are in complain mode.
...
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

sudo aa-notify -l --verbose has produced nothing relevant after I gave fsetid to snap-confine I don’t have an audit.log file anyware in /var/log

Any other suggestions?

5

The enforce mode list is even more important!

You need to install the auditd daemon to get the audit log. It is a separate package:

> sudo apt install auditd

Also, note that the relevant snap profiles are in /var/lib/snapd/apparmor/profiles, not /etc/apparmor.d

6

Does this mean that apparrmor has blocked something? Or just that the profiles are active?

Thank you. I’ve installed auditd, but when running hello-world snap there are no new entries there (if I have gave fsetid capability).

I’m not sure what you’ve mean. When I edit /etc/apparmor.d/usr.lib.snapd.snap-confine.real and add capability fsetid, after the reload I don’t see the message for fsetid, so clearly they have effect.

Something else I could try to figure out where is the problem?

7

Yes! In “enforce” mode, your attempt will be blocked. In “complain” mode, you will get a warning message, but the operation will still be performed. See the apparmor website for the gory details.

Note: I have become an (unexpected) “instant authority” on apparmor since Ubuntu 22.04 has turned on many programs’ apparmor profiles in “enforce” mode. I’m really just an ordinary user, who would rather not have to learn (a lot) about apparmor just to run my desktop.

Thank you. I’ve installed auditd, but when running hello-world snap there are no new entries there (if I have gave fsetid capability).

Look in /var/lib/snapd/apparmor/profiles. You will see 5 apparmor profiles that apply to the hello-world snaps (snap.hello-world.hello-world, snap.hello-world.env, snap.hello-world.evil, snap.hello-world.sh, and snap-update-ns.hello-world). These are the apparmor profiles that control the hello-world snaps. You won’t find any apparmor profiles for hello-world in /etc/apparmor.d. That’s because snaps’ apparmor profiles aren’t stored there.

You see usr.lib.snapd.snap-confine.real in /etc/apparmor.d, but there are additional apparmor profiles in /var/lib/snapd/apparmor/profiles: (snap.confine.core.13425 and snap.core.hook.configure) that may also be affecting how those snaps work.

Also, you might want to read Snapcraft.io’s page about debugging snaps for more background.

8

End users really should not be messing about with the Snap AppArmor rules. They are set specifically the way they are on purpose as a feature of the Snap confinement. Messing with them will reduce the resilience of your system from a potentially naughty Snap package. We have procedures in place to reduce the likelihood of a Snap package being able to take over your system, and by changing the AppArmor policies that snapd sets up when you install and run a Snap Package you are circumventing the restrictions that are meant to protect your system.

As for the hello-world snap not executing, and seemingly all other snaps(?) that is very likely to be unrelated to AppArmor unless you have changed the policy of your system. The more likely scenario is that snapd is confused and needs restarting (reboot your system).

1 Like
9

@lucyllewy, your point is well taken, but the current status of the interaction of snaps with apparmor still needs some work. Linux “end users” are often administrators of their own computer(s) and many have extensive programming experience. I would rather not have to mess with apparmor either, but the problems I have experienced already due to snaps’ enforced apparmor profiles in Ubuntu 22.04 LTS have forced me to learn far more about snaps and apparmor than I should need to. (I only fix what is broken. I’m not doing it because I want to play around.)

My current frustration with snaps with enforced apparmor profiles is prompting me to consider removing snaps and replacing them with Flatpaks or Debian packages. I want to have apparmor, but the snap design is too restrictive considering the inability to tweak the apparmor profiles to deal with current infelicities.

Perhaps Canonical should pay more attention to the criticisms by its users. Over the years I have run several different distributions (Red Hat, Ubuntu, Linux Mint and Gentoo). I really would prefer to stay with Ubuntu if possible. I doubt I’ll go back to Gentoo, but Fedora is calling me softly.

10

Would it be possible to document your required apparmor policy changes that you felt required to make in a new thread on this forum? Tag it with the snapd category like this thread is, and describe the circumstances of your use case that required the overrides… That could help the snapd and security teams to understand any short comings, or the documentation team to understand where documents need improving to explain how to come to a similar solution without tweaking the apparmor policy directly. (Please don’t take this as me telling you to do so, it’s a request only :slight_smile: )

11

ubuntu has not changed in this respect since 2010 or 2012 … you seem to scatter this statement (that something in apparmor changed in 22.04) across plenty of different threads, can you give a reference to code to show what you are referring to ?

apparmor as is has worked for many years in enforce mode, if you run into problems they are likely coming from other issues (like using a non-ubuntu kernel on an ubuntu system for example) that should be researched instead …

1 Like
12

I have rebooted the system many times. I’ve also tried different nvidia drivers Propriatary that I know have worked and nouveau one. I don’t think the problem is at apparrmor either, but I’m stuck and cannot use snap at all and that is what was suggested in the forum. I’ve only changed the fsetid capability and I don’t think I need to.

So how should I figure out what is the problem? I’ve posted the debug output. I don’t see anything there that is helpful. I only use standard packages.

13

@ogra, let me clarify my point: The fact that Ubuntu 22.04 LTS uses snaps (often in enforce mode) instead of Debian packages as used in Ubuntu 20.04 LTS is causing new messages that are puzzling me and a number of others who have updated their Ubuntu. I believe that this is a serious situation that will prompt many user complaints that snaps are being overused (or used at all?). Or, users will disable apparmor in frustration, which is not consistent with the whole purpose of apparmor profiles.

@lucyllewy has requested I provide more detail, and I will do so in another thread that I am in the process of writing.

14

snaps have been in enforce mode since they came into existence in 2014, in fact the snap system has been crafted around the apparmor (among other) features of the kernel since day one … snaps have been shipped by default in Ubuntu since 18.04 …

nothing has dramatically changed between 20.04 and 22.04 either … and there is no reason at all to touch any of the provided apparmor profiles unless you are deep into apparmor and know exactly what you do …

else chances are good you will break your systems security and open it up for attackers

1 Like
15

@ogra, I believe that many Debian packages (in Ubuntu 20.04 LTS) have been replaced by snaps in enforce mode. I’m not saying that the Snapcraft code or features have changed. It is the new use of snaps instead of Debian packages in 22.04 that has brought this to my attention.

Your reply didn’t address my specific points. Please consider addressing them:

16

There is exactly one snap package … (firefox) … that replaced a debian package between 20.04 and 22.04 in the default install …

17

I would really appreciate if we can get back to my problem, please.

So. Apparmor is not the problem, I’ve restored the apparrmor profiles to the packaged once.

If it is not Apparrmor any suggestions what to try so we can figure out where is the problem?

18

perhaps someone from the snapd team can come up with better debugging suggestions …

@mvo or @mardy … any ideas what to look at ?

(i would have thought it is a stale namespace or some such, but you said you rebooted already and that bit would have been cleared by reboots)

19

Hi lukav,

I am absolutely no expert, but to me this sounds like a pure update problem. Whatever it was, something did not properly upgrade to 22.04. In your situation, I would either:

  1. Start from scratch with a clean 22.04. If you have a separate partition for your home folder, this should be a piece of cake. This is the easy way out.

  2. If you want to get to the bottom of this: compare your filesystem (certainly the apparmor profiles & configs) with a clean 22.04. List up your packages with sudo apt list --installed , then install them on a clean 22.04 VM, then compare filesystems, excluding home using e.g. rdiff.

I know the first one sounds like Microsoft Windows advice, but it depends of course on how critical your current situation is.

Kind regards,

Brecht

20

Hi @lukav, can you please print the output of

mount | grep cgroup

I wonder if there could be something wrong with your cgroups setup, since the logs you pasted stop exactly at the point where cgroups should be used (or did you maybe cut off the logs earlier by mistake?).