[Solved] Snap application not launching due to a snap-confine permissions issue

I have been trying to distribute our electron app in snap store and the publishing part has been smooth. But I have facing several issues post installing through snap and have been trying to fix them one by one.

Here, I need help with the error snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

How did I get the error?

1. Installed my app sudo snap install sdpclient
2. Restarted the PC.
3. Tried running the app $ sdpclient

I noticed that the snapd service was not running so I started it, but the error prevails. (Also, why does the service not start automatically even after enabling it?)

Then I went through this thread with the same issue: https://forum.snapcraft.io/t/snap-confine-has-elevated-permissions-error/2391

The solution there was to install Ubuntu kernel, but I am running Kali and Kali kernel is already installed.

This is the result of snap version ::

snap    2.42.5
snapd   2.42.5
series  16
kali    2019.4
kernel  5.3.0-kali2-amd64

Am I missing something? How to ensure this error does not happen to my customers?

Thanks and Regards.

Can you provide the output of snap debug sandbox-features?

Also, please install the hello-world snap, and then run:

SNAPD_DEBUG=1 SNAP_CONFINE_DEBUG=1 snap run hello-world

and paste the log.

Sure!

$ snap debug confinement

 partial

$ snap debug sandbox-features

apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:downgraded support-level:partial
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 tagging

SNAPD_DEBUG=1 SNAP_CONFINE_DEBUG=1 snap run hello-world

2019/12/20 13:06:23.958539 cmd_linux.go:224: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2019/12/20 13:06:24.011980 cmd_run.go:364: DEBUG: SELinux not enabled
DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 0, sgid: 0
DEBUG: apparmor label on snap-confine is: unconfined
DEBUG: apparmor mode is: (null)
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

Can you make sure that systemctl status apparmor.service shows that it’s active, if not please start and enable the service. Once it’s active, the following command:

sudo aa-status | grep snap-confine

should list snap-confine profiles.

No, the apparmor is not active. I will activate it now…

It is started and the output is ::

   /snap/core/8268/usr/lib/snapd/snap-confine
   /snap/core/8268/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/5754/usr/lib/snapd/snap-confine
   /snap/snapd/5754/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

Do the snaps work now?

Yes!

To confirm again, I restarted the system and verified that both the snapd and apparmor services have started. Now the snap runs without any issues.

So I guess all I have to do is ensure that my customers have both these services enabled and hopefully it should work.

Thanks for the support!

How you activate? I have the same problem.

What distribution do use?

Thanks. I was able to use another program that doesn’t need the snap application.