Snaps and NFS /home

Hi everybody,

I’ve got the same issue. My home dir isn’t mounted at /home, but on /Users, using NFS from AWS EFS.

dmesg output is:

audit: type=1400 audit(1532535640.798:165): apparmor=“DENIED” operation=“sendmsg” profile="/usr/lib/snapd/snap-confine" pid=5570 comm=“snap-confine” laddr=172.30.2.79 lport=53172 faddr=172.30.2.25 fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send”

Like the others, I can only use docker as superuser… otherwise it throws this error:

cannot create user data directory: /Users/arkaitz/snap/docker/179: Read-only file system

Eclipse, which is not suitable for been executed like superuser, throws this error:

cannot create user data directory: /Users/arkaitz/snap/eclipse/29: Stale file handle

If I understood, the problem is going to be solved in a future release. Will it be available on Ubuntu 18.04’s repos?

Hey there,

for me it’s the same. I’d prefer to keep my nfs mounted home but with that I can not use any snap.
In the case of vectr i.e.:

$vectr 
$2018/08/15 19:04:34.854496 system_key.go:127: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: open /etc/fstab: permission denied
$2018/08/15 19:04:34.858470 cmd_run.go:708: WARNING: cannot create user data directory: cannot update the 'current' symlink of "/gpfs01/berens/user/slaturnus/snap/vectr/current": symlink 2 /gpfs01/berens/user/slaturnus/snap/vectr/current: operation not supported
$cannot create user data directory: /gpfs01/berens/user/slaturnus/snap/vectr/2: Read-only file system

executing with sudo yields

snap run vectr
mkdir: cannot create directory '/run/user/0': Permission denied
No protocol specified

It’ll be great if someone could come back to it

A followup on the current fix committed at https://github.com/snapcore/snapd/pull/3958

This only handles the case where NFS directories are mounted on boot (typically from /etc/fstab). This has always been strongly discouraged by Ubuntu/Debian because of the race conditions between networking and filesystem mounting.

For that reason, as well as performance and mounting-storms, most people use AutoFS /home/* directories which only mount on first access.

This fix doesn’t handle this use case because when snapd starts it detects no NFS mounted directories and doesn’t enable NFS support. If a user logs in and snapd is restart, NFS support is then enabled.

4 Likes

Hi @zyga-snapd ,
I am seeing similar error when using lxc with snap.
Running lxc info gives “cannot create user data directory: /home/sbavikere/snap/lxd/12631: Permission denied” error.
My home directory is NFS mounted.
Syslog has following entry:

Jan 20 15:28:32 sbavikere-ud kernel: [4246558.473615] audit: type=1400 audit(1579552112.674:4008): apparmor=“DENIED” operation=“open” profile="/snap/core/8268/usr/lib/snapd/snap-confine" name="/home/" pid=97768 comm=“snap-confine” requested_mask=“r” denied_mask=“r” fsuid=7099 ouid=0

Hmm, snap-confine's appamor profile does not include /home/ r, - I wonder what is going on here.

Can you please edit /var/lib/snapd/apparmor/profiles/snap-confine.8268, add /home/ r, somewhere inside the part between braces ({}) and run sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.core.8268 to re-load the profile in memory. Note that this will be automatically corrected by snapd, in many circumstances, so don’t rely on it lasting.

Having done that, can you reproduce the issue?

I modified the profile file and reloaded it. I still see same error. But syslog entry has “/home/sbavikere/snap/lxd/” instead of “/home/” now. I tried adding “/home/sbavikere/snap/lxd/” to the profile file. It doesn’t help.

Jan 22 12:28:42 sbavikere-ud kernel: [4408567.562004] audit: type=1400 audit(1579714122.290:4170): apparmor="DENIED" operation="open" profile="/snap/core/8268/usr/lib/snapd/snap-confine" name="/home/sbavikere/snap/lxd/" pid=93240 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=7099 ouid=7099

@jdstrand help ^ does this make any sense to you?

Just to confirm how to reproduce this:

  1. install ubuntu (which)
  2. setup NFS sharing of /home for a specific user (or all users)
  3. install LXD snap

Is that accurate?

  1. Ubuntu 16.04 LTS, 64 bit

  2. Specific user directory is on NFS. Not all users. Example /home/administrator is not on NFS.

  3. Snap version:
    snap --version
    snap 2.42.5
    snapd 2.42.5
    series 16
    ubuntu 16.04
    kernel 4.15.0-70-generic

    Snap list:
    snap list
    Name Version Rev Tracking Publisher Notes
    core 16-2.42.5 8268 stable canonical✓ core
    go 1.13.6 5185 stable mwhudson classic
    lxd 3.18 12631 stable canonical✓ -

1 Like

It does not, but neither did the ‘/home/’ denial since the policy already has ‘@{HOME}/ r,’. It would be useful to see the output of 'apparmor_parser -p /var/lib/snapd/apparmor/profiles/snap-confine.core.8268` and compare that to a default install.

Output of 'apparmor_parser -p /var/lib/snapd/apparmor/profiles/snap-confine.core.8689`

    # Author: Jamie Strandboge <jamie@canonical.com>
 

##included <tunables/global>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010-2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# All the tunables definitions that should be available to every profile
# should be included here

 

##included <tunables/home>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/


# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/*/


# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.
 

##included <tunables/home.d>
# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
@{HOMEDIRS}+=/home/sbavikere/



 

##included <tunables/multiarch>
# ------------------------------------------------------------------
#
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{multiarch} is the set of patterns matching multi-arch library
# install prefixes.
@{multiarch}=*-linux-gnu*


# Also, include files in tunables/multiarch.d for site and packaging
# specific adjustments to @{multiarch}.
 

##included <tunables/multiarch.d>


 

##included <tunables/proc>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{PROC} is the location where procfs is mounted.
@{PROC}=/proc/


 

##included <tunables/alias>
# ------------------------------------------------------------------
#
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# Alias rules can be used to rewrite paths and are done after variable
# resolution. For example, if '/usr' is on removable media:
# alias /usr/ -> /mnt/usr/,
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,

 

##included <tunables/kernelvars>
#    Copyright (C) 2012 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# This file should contain declarations to kernel vars or variables
# that will become kernel vars at some point

# until kernel vars are implemented
# and until the parser supports nested groupings like
#   @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
# use
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}


#same pattern as @{pid} for now
@{tid}=@{pid}


#A pattern for pids that can appear
@{pids}=@{pid}


 

##included <tunables/xdg-user-dirs>
# ------------------------------------------------------------------
#
#    Copyright (C) 2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# Define the common set of XDG user directories (usually defined in
# /etc/xdg/user-dirs.defaults)
@{XDG_DESKTOP_DIR}="Desktop"

@{XDG_DOWNLOAD_DIR}="Downloads"

@{XDG_TEMPLATES_DIR}="Templates"

@{XDG_PUBLICSHARE_DIR}="Public"

@{XDG_DOCUMENTS_DIR}="Documents"

@{XDG_MUSIC_DIR}="Music"

@{XDG_PICTURES_DIR}="Pictures"

@{XDG_VIDEOS_DIR}="Videos"


# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
# to the various XDG directories
 

##included <tunables/xdg-user-dirs.d>
# ------------------------------------------------------------------
#
#    Copyright (C) 2014 Canonical Ltd.
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# The following may be used to add additional entries such as for
# translations. See tunables/xdg-user-dirs for details. Eg:
#@{XDG_MUSIC_DIR}+="Musique"

#@{XDG_DESKTOP_DIR}+=""
#@{XDG_DOWNLOAD_DIR}+=""
#@{XDG_TEMPLATES_DIR}+=""
#@{XDG_PUBLICSHARE_DIR}+=""
#@{XDG_DOCUMENTS_DIR}+=""
#@{XDG_MUSIC_DIR}+=""
#@{XDG_PICTURES_DIR}+=""
#@{XDG_VIDEOS_DIR}+=""




/snap/core/8689/usr/lib/snapd/snap-confine (attach_disconnected) {
    # Include any additional files that snapd chose to generate.
    # - for $HOME on NFS
    # - for $HOME on encrypted media

##included "/var/lib/snapd/apparmor/snap-confine"

  network inet,
  network inet6,


    # We run privileged, so be fanatical about what we include and don't use
    # any abstractions
    /etc/ld.so.cache r,
    /etc/ld.so.preload r,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
    # libc, you are funny
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
    # normal libs in order
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
    # Needed to run /usr/bin/sh for snap-device-helper.
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libtinfo.so* mr,

    /snap/core/8689/usr/lib/snapd/snap-confine mr,

    /dev/null rw,
    /dev/full rw,
    /dev/zero rw,
    /dev/random r,
    /dev/urandom r,
    /dev/pts/[0-9]* rw,
    /dev/tty rw,

    # cgroup: devices
    capability sys_admin,
    capability dac_read_search,
    capability dac_override,
    /sys/fs/cgroup/devices/snap{,py}.*/ w,
    /sys/fs/cgroup/devices/snap{,py}.*/cgroup.procs w,
    /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,

    # cgroup: freezer
    # Allow creating per-snap cgroup freezers and adding snap command (task)
    # invocations to the freezer. This allows for reliably enumerating all
    # running processes for the snap. In addition, allow enumerating processes
    # in the cgroup to determine if it is occupied.
    /sys/fs/cgroup/freezer/ r,
    /sys/fs/cgroup/freezer/snap.*/ w,
    /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw,

    # cgroup: pids
    # allow creating per snap-security-tag hierarchy and adding snap command (task)
    # invocations to the controller.
    /sys/fs/cgroup/pids/ r,
    /sys/fs/cgroup/pids/snap.*/ w,
    /sys/fs/cgroup/pids/snap.*/cgroup.procs w,

    # querying udev
    /etc/udev/udev.conf r,
    /sys/**/uevent r,
    /usr/lib/snapd/snap-device-helper ixr, # drop
    /{,usr/}lib/udev/snappy-app-dev ixr, # drop
    /run/udev/** rw,
    /{,usr/}bin/tr ixr,
    /usr/lib/locale/** r,
    /usr/lib/@{multiarch}/gconv/gconv-modules r,
    /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,

    # priv dropping
    capability setuid,
    capability setgid,

    # changing profile
    @{PROC}/[0-9]*/attr/exec w,
    # Reading current profile
    @{PROC}/[0-9]*/attr/current r,
    # Reading available filesystems
    @{PROC}/filesystems r,

    # To find where apparmor is mounted
    @{PROC}/[0-9]*/mounts r,
    # To find if apparmor is enabled
    /sys/module/apparmor/parameters/enabled r,

    # Don't allow changing profile to unconfined or profiles that start with
    # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
    # the environment for determining the capabilities of the architecture.
    # 'unsafe' is ok here because the kernel will have already cleared the
    # environment as part of launching snap-confine with
    # CAP_SYS_ADMIN.
    change_profile unsafe /** -> [^u/]**,
    change_profile unsafe /** -> u[^n]**,
    change_profile unsafe /** -> un[^c]**,
    change_profile unsafe /** -> unc[^o]**,
    change_profile unsafe /** -> unco[^n]**,
    change_profile unsafe /** -> uncon[^f]**,
    change_profile unsafe /** -> unconf[^i]**,
    change_profile unsafe /** -> unconfi[^n]**,
    change_profile unsafe /** -> unconfin[^e]**,
    change_profile unsafe /** -> unconfine[^d]**,
    change_profile unsafe /** -> unconfined?**,

    # allow changing to a few not caught above
    change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},

    # LP: #1446794 - when this bug is fixed, change the above to:
    # deny change_profile unsafe /** -> {unconfined,/**},
    # change_profile unsafe /** -> **,

    # reading seccomp filters
    /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,

    # LP: #1668659 and parallel instaces of classic snaps
    mount options=(rw rbind) /snap/ -> /snap/,
    mount options=(rw rshared) -> /snap/,
    mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/,
    mount options=(rw rshared) -> /var/lib/snapd/snap/,

    # boostrapping the mount namespace
    mount options=(rw rshared) -> /,
    mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
    mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
    # the next line is for classic system
    mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/,
    # the next line is for core system
    mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
    # all of the constructed rootfs is a rslave
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
    # bidirectional mounts (for both classic and core)
    # NOTE: this doesn't capture the MERGED_USR configuration option so that
    # when a distro with merged /usr and / that uses apparmor shows up it
    # should be handled here.
    /{,run/}media/ w,
    mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
    /run/netns/ w,
    mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
    # unidirectional mounts (only for classic system)
    mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,

    mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,

    mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,

    mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,

    mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,

    mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,

    mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,

    mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,

    mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,

    mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,

    mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,

    mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,

    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,

    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,

    mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,

    mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,

    mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,

    # allow making host snap-exec available inside base snaps
    mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    # allow making re-execed host snap-exec available inside base snaps
    mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
    # allow making snapd snap tools available inside base snaps
    mount options=(ro bind) /snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,

    mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,

    # /etc/alternatives (classic)
    mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    # /etc/alternatives (core)
    mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
    mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
    # the /snap directory
    mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
    # pivot_root preparation and execution
    mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
    mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,

    # pivot_root mediation in AppArmor is not complete. See LP: #1791711.
    # However, we can mediate the new_root and put_old to be what we expect,
    # and then deny directory creation within old_root to prevent trivial
    # pivoting into a whitelisted path.
    pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/,
    # Explicitly deny creating the old_root directory in case it is
    # inadvertently added somewhere else. While this doesn't resolve
    # LP: #1791711, it provides some hardening.
    audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w,

    # cleanup
    umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
    umount /var/lib/snapd/hostfs/sys/,
    umount /var/lib/snapd/hostfs/dev/,
    umount /var/lib/snapd/hostfs/proc/,
    mount options=(rw rslave) -> /var/lib/snapd/hostfs/,

    # set up user mount namespace
    mount options=(rslave) -> /,

    # set up mount namespace for parallel instances of classic snaps
    mount options=(rw rbind) /snap/{,*/} -> /snap/{,*/},
    mount options=(rslave) -> /snap/,
    mount options=(rslave) -> /var/snap/,
    mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/},
    mount options=(rw rshared) -> /var/snap/,

    # Allow reading the os-release file (possibly a symlink to /usr/lib).
    /{etc/,usr/lib/}os-release r,

    # Allow creating /var/lib/snapd/hostfs, if missing
    /var/lib/snapd/hostfs/ rw,

    # set up snap-specific private /tmp dir
    capability chown,
    /tmp/ rw,
    /tmp/snap.*/ rw,
    /tmp/snap.*/tmp/ rw,
    mount options=(rw private) ->  /tmp/,
    mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
    mount fstype=devpts options=(rw) devpts -> /dev/pts/,
    mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx,     # for bind mounting
    mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
    # Workaround for LP: #1584456 on older kernels that mistakenly think
    # /dev/pts/ptmx needs a trailing '/'
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
    mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,

    # for running snaps on classic
    /snap/ r,
    /snap/** r,
    /snap/ r,
    /snap/** r,

    # NOTE: at this stage the /snap directory is stable as we have called
    # pivot_root already.

    # nvidia handling, glob needs /usr/** and the launcher must be
    # able to bind mount the nvidia dir
    /sys/module/nvidia/version r,
    /sys/**/drivers/nvidia{,_*}/* r,
    /sys/**/nvidia*/uevent r,
    /sys/module/nvidia{,_*}/* r,
    /dev/nvidia[0-9]* r,
    /dev/nvidiactl r,
    /dev/nvidia-uvm r,
    /usr/** r,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,

    # Vulkan support
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,

    # GLVND EGL vendor
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,

    # create gl dirs as needed
    /tmp/snap.rootfs_*/ r,
    /tmp/snap.rootfs_*/var/ r,
    /tmp/snap.rootfs_*/var/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,

    # for chroot on steroids, we use pivot_root as a better chroot that makes
    # apparmor rules behave the same on classic and outside of classic.

    # for creating the user data directories: ~/snap, ~/snap/<name> and
    # ~/snap/<name>/<version>
    / r,
    @{HOMEDIRS}/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    @{HOME}/ r,
    @{HOME}/snap/{,*/,*/*/} rw,

    # Special case for *classic* snaps that are used by users with existing dirs
    # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ...
    # TODO: this can be removed once we support home-dirs outside of /home
    #       better
    /var/ r,
    /var/lib/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    /var/lib/*/ r,
    /var/lib/*/snap/{,*/,*/*/} rw,

    # for creating the user shared memory directories
    /{dev,run}/{,shm/} r,
    # This should both have 'owner' match but due to LP: #1466234, we can't yet
    /{dev,run}/shm/{,*/,*/*/} rw,

    # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
    # /run/user/UID/<name>
    /run/user/{,[0-9]*/,[0-9]*/*/} rw,

    # encrypted ~/.Private and old-style encrypted $HOME
    @{HOME}/.Private/ r,
    @{HOME}/.Private/** mrixwlk,
    # new-style encrypted $HOME
    @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

    # Allow snap-confine to move to the void, creating it if necessary.
    /var/lib/snapd/void/ rw,

    # Allow snap-confine to read snap contexts
    /var/lib/snapd/context/snap.* r,

    # Allow snap-confine to unmount stale mount namespaces.
    umount /run/snapd/ns/*.mnt,
    /run/snapd/ns/snap.*.fstab w,
    # Allow snap-confine to read and write mount namespace information files.
    /run/snapd/ns/snap.*.info rw,
    # Required to correctly unmount bound mount namespace.
    # See LP: #1735459 for details.
    umount /,

    # support for locking
    /run/snapd/lock/ rw,
    /run/snapd/lock/*.lock rwk,

    # support for the mount namespace sharing
    capability sys_ptrace,
    # allow snap-confine to read /proc/1/ns/mnt
    ptrace read peer=unconfined,
    ptrace trace peer=unconfined,

    mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
    mount options=(private) -> /run/snapd/ns/,
    / rw,
    /run/ rw,
    /run/snapd/ rw,
    /run/snapd/ns/ rw,
    /run/snapd/ns/*.lock rwk,
    /run/snapd/ns/*.mnt rw,
    ptrace (read, readby, tracedby) peer=/snap/core/8689/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    @{PROC}/*/mountinfo r,
    capability sys_chroot,
    capability sys_admin,
    signal (send, receive) set=(abrt) peer=/snap/core/8689/usr/lib/snapd/snap-confine,
    signal (send) set=(int) peer=/snap/core/8689/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
    signal (send, receive) set=(int, alrm, exists) peer=/snap/core/8689/usr/lib/snapd/snap-confine,
    signal (receive) set=(exists) peer=/snap/core/8689/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,

    ptrace (trace, tracedby) peer=/snap/core/8689/usr/lib/snapd/snap-confine,

    # Allow reading snap cookies.
    /var/lib/snapd/cookie/snap.* r,

    # For aa_change_hat() to go into ^mount-namespace-capture-helper
    @{PROC}/[0-9]*/attr/current w,

    # As a special exception allow snap-confine to write to anything in /var/lib.
    # This code should be changed to allow delegation so that snap-confine can
    # inherit any file descriptor and pass it to the invoked application but
    # this is not possible in apparmor yet.
    /var/lib/** rw,

    ^mount-namespace-capture-helper (attach_disconnected) {
        # We run privileged, so be fanatical about what we include and don't use
        # any abstractions
        /etc/ld.so.cache r,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
        # libc, you are funny
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
        # normal libs in order
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,

        /snap/core/8689/usr/lib/snapd/snap-confine mr,

        /dev/null rw,
        /dev/full rw,
        /dev/zero rw,
        /dev/random r,
        /dev/urandom r,

        capability sys_ptrace,
        capability sys_admin,
        # This allows us to read and bind mount the namespace file
        / r,
        @{PROC}/ r,
        @{PROC}/*/ r,
        @{PROC}/*/ns/ r,
        @{PROC}/*/ns/mnt r,
        /run/ r,
        /run/snapd/ r,
        /run/snapd/ns/ r,
        /run/snapd/ns/*.mnt rw,
        # NOTE: the source name is / even though we map /proc/123/ns/mnt
        mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
        # This is the SIGALRM that we send and receive if a timeout expires
        signal (send, receive) set=(alrm) peer=/snap/core/8689/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        # Those two rules are exactly the same but we don't know if the parent process is still alive
        # and hence has the appropriate label or is already dead and hence has no label.
        signal (send) set=(exists) peer=/snap/core/8689/usr/lib/snapd/snap-confine,
        signal (send) set=(exists) peer=unconfined,
        # This is so that we can abort
        signal (send, receive) set=(abrt) peer=/snap/core/8689/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
        #  This is the signal we get if snap-confine dies (we subscribe to it with prctl)
        signal (receive) set=(int) peer=/snap/core/8689/usr/lib/snapd/snap-confine,
        # This allows snap-confine to be killed from the outside.
        signal (receive) peer=unconfined,
        # This allows snap-confine to wait for us
        ptrace (read, trace, tracedby) peer=/snap/core/8689/usr/lib/snapd/snap-confine,
    }

    # Allow snap-confine to be killed
    signal (receive) peer=unconfined,

    # Allow switching to snap-update-ns with a per-snap profile.
    change_profile -> snap-update-ns.*,

    # Allow executing snap-update-ns when...

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the distribution package. This is also the location used when using
    # the core/base snap on all-snap systems. The variants here represent
    # various locations of libexecdir across distributions.
    /usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ...snap-confine is not, conceptually, re-executing and uses
    # snap-update-ns from the distribution package but we are already inside
    # the constructed mount namespace so we must traverse "hostfs". The
    # variants here represent various locations of libexecdir across
    # distributions.
    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,

    # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core or snapd snaps. Note that the location of the actual snap
    # varies from distribution to distribution. The variants here represent
    # different locations of snap mount directory across distributions.
    /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,

    # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
    # from the core snap or snapd snap, but we are already inside the
    # constructed mount namespace. Here the apparmor kernel module
    # re-constructs the path to snap-update-ns using the "hostfs" mount entry
    # rather than the more "natural" /snap mount entry but we have no control
    # over that.  This is reported as (LP: #1716339). The variants here
    # represent different locations of snap mount directory across
    # distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,

    # Allow executing snap-discard-ns, just like the set for snap-update-ns
    # above but with the key difference that snap-discard-ns does not
    # have a dedicated profile so we need to inherit snap-confine's profile.

    /usr/lib{,exec,64}/snapd/snap-discard-ns rix,
    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
    /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,

    # Allow mounting /var/lib/jenkins from the host into the snap.
    mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/,
    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/,

    # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is
    # fixed.
    deny /dev/shm/.org.chromium.Chromium.* rw,

    # While snap-confine itself doesn't require unix rules and therefore all
    # unix rules are implicitly denied, adding an explicit deny for unix to
    # silence noisy denials breaks nested lxd. Until the cause is determined,
    # do not use an explicit deny for unix. (LP: #1855355)
    #deny unix,
}

I compared your apparmor_parser -p output with that of r8773 and found this:

@@ -40,7 +40,7 @@
 # @{HOMEDIRS} is a space-separated list of where user home directories
 # are stored, for programs that must enumerate all home directories on a
 # system.
-@{HOMEDIRS}=/home/
+@{HOMEDIRS}=/home/*/
 
 
 # Also, include files in tunables/home.d for site-specific adjustments to
@@ -54,20 +54,8 @@
 # The following is a space-separated list of where additional user home
 # directories are stored, each must have a trailing '/'. Directories added
 # here are appended to @{HOMEDIRS}.  See tunables/home for details.
-#@{HOMEDIRS}+=
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2010 Canonical Ltd.
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
+@{HOMEDIRS}+=/home/sbavikere/
 
-# The following is a space-separated list of where additional user home
-# directories are stored, each must have a trailing '/'. Directories added
-# here are appended to @{HOMEDIRS}.  See tunables/home for details. Eg:
-#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/

Your /etc/apparmor.d/tunables/home needs to change this:

@{HOMEDIRS}=/home/*/

to:

@{HOMEDIRS}=/home/

and then run sudo dpkg-reconfigure apparmor and leave ‘Additional home directory locations’ blank.

The reason why this is the case is because your /home/sbavikere is already covered by the default installation. The first change reinstates /etc/apparmor.d/tunables/home for what it is supposed to be and the second removes the incorrect addition of your home directory.

That worked. Thanks.

Hello,

Just following up on the progress getting snaps to work with NFS.

We still remain unable to use snaps in scenarios with root_squash + NFS home dirs.

The three bugs pertaining to our long running issue:

  1. Bug #1739581 “snap refresh fails if home is not writeable by roo...” : Bugs : snapd
  2. Bug #2002697 “Permission denied when removing a snap” : Bugs : snapd
  3. Bug #1973321 “snaps don't start when current working directory i...” : Bugs : snapd

I’m wondering, is there a solution in the works for the SNAP_USER_HOME/root_squash snafu?

@nuccitheboss @wolsen