I am on Arch Linux using Snapd package from AUR
snap version
snap 2.61-2
snapd 2.60.4
series 16
arch -
kernel 6.6.1-arch1-1
When I install LXD
❯ snap install lxd
error: cannot perform the following tasks:
- Run install hook of "lxd" snap if present (run hook "install":
-----
logger.go:92: DEBUG: -- snap startup {"stage":"start", "time":"1699546533.045575"}
system_key.go:254: running from non-installed location /var/lib/snapd/snap/core/16202/usr/bin/snap: ignoring system-key
logger.go:92: DEBUG: SystemKeyMismatch returned an error: system-key versions not comparable
logger.go:92: DEBUG: system key mismatch detected, waiting for snapd to start responding...
logger.go:92: DEBUG: executing snap-confine from /var/lib/snapd/snap/core/16202/usr/lib/snapd/snap-confine
logger.go:92: DEBUG: SELinux not enabled
logger.go:92: DEBUG: creating transient scope snap.lxd.hook.install
logger.go:92: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/7471
logger.go:92: DEBUG: job result is "done"
logger.go:92: DEBUG: transient scope snap.lxd.hook.install-426edff0-61d5-4e42-9ad0-480a3c47463b.scope created
logger.go:92: DEBUG: waited 47.943661ms for tracking
logger.go:92: DEBUG: -- snap startup {"stage":"snap to snap-confine", "time":"1699546533.113776"}
DEBUG: -- snap startup {"stage":"snap-confine enter", "time":"1699546533.117465"}
DEBUG: umask reset, old umask was 022
DEBUG: security tag: snap.lxd.hook.install
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core22
DEBUG: ruid: 0, euid: 0, suid: 0
DEBUG: rgid: 0, egid: 0, sgid: 0
cannot query current apparmor profile: Invalid argument
-----)
Also Apparmor is enabled but i am still having Partial security
❯ snap debug sandbox-features
apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:qipcrtr-socket parser:unsafe parser:xdp policy:default support-level:partial
confinement-options: classic devmode
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: tagging
❯ aa-enabled
Yes
❯ snap debug confinement
partial
❯ systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: disabled)
Active: active (exited) since Thu 2023-11-09 10:27:26 EST; 49min ago
Main PID: 255392 (code=exited, status=0/SUCCESS)
CPU: 4.866s
Nov 09 10:27:26 syntist-pc systemd[1]: Starting Load AppArmor profiles...
Nov 09 10:27:26 syntist-pc apparmor.systemd[255392]: Restarting AppArmor
Nov 09 10:27:26 syntist-pc apparmor.systemd[255392]: Reloading AppArmor profiles
Nov 09 10:27:26 syntist-pc systemd[1]: Finished Load AppArmor profiles.
❯ systemctl status snapd.apparmor.service
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
Loaded: loaded (/usr/lib/systemd/system/snapd.apparmor.service; enabled; preset: disabled)
Active: active (exited) since Thu 2023-11-09 09:52:57 EST; 1h 24min ago
Main PID: 467 (code=exited, status=0/SUCCESS)
CPU: 384ms
Nov 09 09:52:57 syntist-pc systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
Nov 09 09:52:57 syntist-pc snapd-apparmor[467]: main.go:124: Loading profiles [/var/lib/snapd/apparmor/profiles/snap-confine.core.16202 /var/lib/snapd/apparmor/profiles/snap-confine.snapd.20290 /var/lib/snapd/ap>
Nov 09 09:52:57 syntist-pc systemd[1]: Finished Load AppArmor profiles managed internally by snapd.