[Solved] Cannot query current apparmor profile

LDarki · March 8, 2023, 12:07pm

Hi, when i try to run any snap package i got that error.

cannot query current apparmor profile: Invalid argument

The thing is that apparmor is working without issues. I found this:

Probably that will help but idk how to fix it. I think that snap is using the wrong path.

Any help is appreciated

PD: Sorry for my English. I know that is not the best, I am a Spanish speaker

goldstar611 · March 8, 2023, 2:26pm

I believe that AppArmor profiles for snaps are not backed by any file on disk so finding the current AppArmor profile wouldn’t be helpful. (I could be wrong)

Have you checked sudo dmesg after a snap fails to launch to see if any errors are listed?

LDarki · March 8, 2023, 2:39pm

Directly the app doesn’t run, it throws the Invalid argument error. using dmesg doesn’t show any error.

ogra · March 8, 2023, 3:16pm

what is the full output of snap version ? (might be a kernel issue …)

also snap debug confinement and snap debug sandbox-features might be helpful commands to see what is missing/wrong …

LDarki · March 8, 2023, 3:25pm

ldarki@ldarki:~$ snap version
snap    2.58.2
snapd   2.58.2
series  16
pika    22.10
kernel  6.1.0-7.203.fsync-cosmo-amd64

ldarki@ldarki:~$ snap debug confinement
partial
ldarki@ldarki:~$ snap debug sandbox-features
apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptr
ace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:mqueue parser:qipcrtr-socket parser:unsafe p
arser:xdp policy:default support-level:partial
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-ba
se-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log k
ernel:trace kernel:trap kernel:user_notif
udev:                 tagging

ogra · March 8, 2023, 3:29pm

yeah, your kernel is definitely degrading security features, i guess it is missing some essential apparmor patches …

it gets even worse because you installed it on an official ubuntu install it seems, where the full patch set and the full set of ubuntu default options is expected …

switch to an official ubuntu kernel (6.1 is provided as one of the -oem or -hwe kernels if you have a hard requirement for this version) and it should all work.

LDarki · March 8, 2023, 3:37pm

It works now, ty