Snaps vs AppArmor

Greetings Snaplings; I have now encountered two Snap applications that are running afoul of my AppArmor config. These issues have not presented themselves before so I am unsure what the problem is. Both are permission denial messages clearly visible in my syslog.

The applications are Authy and Masscode

The lines from my syslog are below: Jul 5 12:49:23 arach systemd[1947]: snap.masscode.masscode.642bc059-5434-41bb-b652-8b8534c32dba.scope: Succeeded. Jul 5 12:49:23 arach kernel: [ 1066.347149] audit: type=1400 audit(1657039763.207:136): apparmor=“DENIED” operation=“rmdir” profile=“snap.masscode.masscode” name="/mnt/sdb1/Downloads/" pid=8634 comm=“rmdir” requested_mask=“d” denied_mask=“d” fsuid=1000 ouid=1000

Jul 5 12:49:40 arach systemd[1947]: Started snap.authy.authy.8fa77d23-3a40-4250-831f-d8387a0cf2b0.scope. Jul 5 12:49:40 arach kernel: [ 1083.523660] audit: type=1400 audit(1657039780.383:137): apparmor=“DENIED” operation=“open” profile=“snap.authy.authy” name="/mnt/sdb1/Downloads/" pid=8694 comm=“head” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000

Could someone shed some light on why I have managed to find two disparate apps that both collide with Appamor?

John Vaccaro eMail:

_Do not be too moral. You may cheat yourself out of much of life. So aim above morality. Be not simply good; be good for something. - Thoreau

Snap Packages, when strictly confined, are blocked from accessing your host system. There are “plugs” which a Snap Package may request that enable permissions to access specific areas. The /mnt directory is covered by the removable-media plug, which is not “connected” by default. Connected here means that it is enabled and the permission granted. There is also the potential that neither package has requested the removable-media plug in which case it cannot be connected at all. If they have requested the permission then you can grant it either in the Ubuntu Software app in Ubuntu or via the command line on any system including Ubuntu with sudo snap conenct <snap-name> removable-media where <snap-name> is the name of the snap as shown in snap list e.g. authy and masscode in these cases.