[Solved] Snap refused by apparmor

I was trying to remove a snap package, but now I can’t open the Ubuntu software tool anymore. Or any other snap package for that matter. It looks like apparmor denies execution. But I haven’t touched it.

$ snap version
2020/10/06 00:13:31.568753 tool_linux.go:82: cannot open snapd info file “/snap/core/current/usr/lib/snapd/info”: open /snap/core/current/usr/lib/snapd/info: permission denied
panic: user: lookup userid 1000: permission denied [recovered]
panic: user: lookup userid 1000: permission denied

goroutine 1 [running]:
main.main.func1()
/build/snapd-OgXkt4/snapd-2.46.1+20.04/_build/src/github.com/snapcore/snapd/cmd/snap/main.go:477 +0x95
panic(0x55dae5d20760, 0xc000323790)
/usr/lib/go-1.13/src/runtime/panic.go:679 +0x1b6

$ ls -l /snap/core/current/usr/lib/snapd/info
-rw-r–r-- 1 root root 15 sep 4 18:08 /snap/core/current/usr/lib/snapd/info

$ tail /var/log/syslog
Oct 6 00:15:42 name kernel: [ 4543.858558] audit: type=1400 audit(1601936142.052:283): apparmor=“DENIED” operation=“open” profile="/usr/bin/snap" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=19922 comm=“snap” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

This is unexpected. Is there a /etc/apparmor.d/usr.bin.snap file in your system? If it exists, can you identify which package owns this file by running dpkg -S /etc/apparmor.d/usr.bin.snap?

Hi mborzecki,
Here’s the output.

$ ls -l /etc/apparmor.d/usr.bin.snap
-rw------- 1 root root 141 okt 5 22:49 /etc/apparmor.d/usr.bin.snap

$ dpkg -S /etc/apparmor.d/usr.bin.snap
dpkg-query: no path found matching pattern /etc/apparmor.d/usr.bin.snap

$ sudo dpkg -l | grep snap
ii chromium-browser 1:85.0.4183.83-0ubuntu0.20.04.1 amd64 Transitional package - chromium-browser -> chromium snap
ii chromium-codecs-ffmpeg-extra 1:85.0.4183.83-0ubuntu0.20.04.1 amd64 Transitional package - chromium-codecs-ffmpeg-extra -> chromium-ffmpeg snap
ii gir1.2-snapd-1:amd64 1.57-0ubuntu3 amd64 Typelib file for libsnapd-glib1
ii libsnapd-glib1:amd64 1.57-0ubuntu3 amd64 GLib snapd library
ii libsnappy1v5:amd64 1.1.8-1build1 amd64 fast compression/decompression library
ii snapd 2.46.1+20.04 amd64 Daemon and tooling that enable snap packages

$ sudo cat usr.bin.snap

Last Modified: Mon Oct 5 22:48:37 2020

#include <tunables/global>

/usr/bin/snap {
#include <abstractions/base>

/usr/bin/snap mr,

}

Which distro is this?

@zyga any clue? Do you recall snapd ever shipping an AppArmor profile for /usr/bin/snap?

$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l

$ uname -a
Linux blabla 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I recall an issue like that. Some tool was wrapping random binaries with generated apparmor profiles. I don’t recall the details though.

We saw this once before here: [Solved] "Permission denied" in general | Ubuntu 19.10 | snap 2.42.5. There is also https://irclogs.ubuntu.com/2016/11/17/%23snappy.html. There was nothing conclusive in either case on what created it.

Ok. I removed the snap files in /etc/apparmor.d and did a reboot

$ sudo rm usr.bin.snap usr.lib.snapd.snap-confine.real
$ sudo reboot

Some snap functionality has returned…

$ snap --version
snap 2.46.1+20.04
snapd 2.46.1+20.04
series 16
ubuntu 20.04
kernel 5.4.0-48-generic

But snap-store isn’t working
$ snap-store
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks: Operation not permitted

You’ve probably removed too much. Snapd requires the AppArmor policies it ships with: it was the extra ones not provided by the snapd package that were the problem.

Perhaps try running sudo apt reinstall snapd now, to see if that improves matters.

$ sudo apt reinstall snapd
Reading package lists… Done
Building dependency tree
Reading state information… Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/27,6 MB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database … 325388 files and directories currently installed.)
Preparing to unpack …/snapd_2.46.1+20.04_amd64.deb …
Unpacking snapd (2.46.1+20.04) over (2.46.1+20.04) …
Setting up snapd (2.46.1+20.04) …
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.
Processing triggers for mime-support (3.64ubuntu1) …
Processing triggers for gnome-menus (3.36.0-1ubuntu1) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for dbus (1.12.16-2ubuntu2.1) …
Processing triggers for desktop-file-utils (0.24-1ubuntu3) …

I also did a fresh install with similar results :cry:
$ sudo apt purge snapd

$ sudo apt install snapd
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
snapd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/27,6 MB of archives.
After this operation, 122 MB of additional disk space will be used.
Selecting previously unselected package snapd.
(Reading database … 325280 files and directories currently installed.)
Preparing to unpack …/snapd_2.46.1+20.04_amd64.deb …
Unpacking snapd (2.46.1+20.04) …
Setting up snapd (2.46.1+20.04) …
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /lib/systemd/system/
snapd.apparmor.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.autoimport.service → /lib/systemd/syste
m/snapd.autoimport.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.core-fixup.service → /lib/systemd/syste
m/snapd.core-fixup.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service → /lib
/systemd/system/snapd.recovery-chooser-trigger.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.seeded.service → /lib/systemd/system/sn
apd.seeded.service.
Created symlink /etc/systemd/system/cloud-final.service.wants/snapd.seeded.service → /lib/systemd/system/
snapd.seeded.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /lib/systemd/system/snapd.ser
vice.
Created symlink /etc/systemd/system/timers.target.wants/snapd.snap-repair.timer → /lib/systemd/system/sna
pd.snap-repair.timer.
Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /lib/systemd/system/snapd.socket.
Created symlink /etc/systemd/system/final.target.wants/snapd.system-shutdown.service → /lib/systemd/syste
m/snapd.system-shutdown.service.
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.
Processing triggers for mime-support (3.64ubuntu1) …
Processing triggers for gnome-menus (3.36.0-1ubuntu1) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for dbus (1.12.16-2ubuntu2.1) …
Processing triggers for desktop-file-utils (0.24-1ubuntu3) …

$ sudo snap install snap-store
2020-10-08T16:25:38+02:00 INFO Waiting for automatic snapd restart…
snap-store 3.31.1+git187.84b64e0b from Canonical✓ installed

$ snap-store
/home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiognomeproxy.so: cannot open shared object file: No such file or directory
Failed to load module: /home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiognomeproxy.so
/home/cosmic/snap/snap-store/common/.cache/gio-modules/libdconfsettings.so: cannot open shared object file: No such file or directory
Failed to load module: /home/cosmic/snap/snap-store/common/.cache/gio-modules/libdconfsettings.so
/home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiognutls.so: cannot open shared object file: No such file or directory
Failed to load module: /home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiognutls.so
/home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiolibproxy.so: cannot open shared object file: No such file or directory
Failed to load module: /home/cosmic/snap/snap-store/common/.cache/gio-modules/libgiolibproxy.so
14:26:31:0344 GLib-GIO Using the ‘memory’ GSettings backend. Your settings will not be saved or shared with other applications.
14:26:31:0435 Gs enabled plugins: odrs, rewrite-resource, snap, icons, key-colors, key-colors-metadata
14:26:31:0435 Gs disabled plugins: appstream, desktop-categories, desktop-menu-path, dpkg, dummy, epiphany, fedora-pkgdb-collections, generic-updates, hardcoded-blacklist, hardcoded-featured, hardcoded-popular, modalias, os-release, provenance, provenance-license, repos, shell-extensions
14:26:31:0927 Gtk Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:…/…/…/…/gtk/gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /snap/snap-store/415/data-dir/icons/Yaru/16x16/status/image-missing.png: Unable to load image-loading module: /snap/snap-store/467/gnome-platform/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so: /snap/snap-store/467/gnome-platform/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so: cannot open shared object file: No such file or directory (gdk-pixbuf-error-quark, 5)
Aborted (core dumped)

OK. I got the snap store running for Ubuntu 20.04 using:

$ snap refresh snap-store --channel=stable/ubuntu-20.04

Although snap-store seems to work properly again. I get a lots of messages in /var/log/syslog when launching snap-store. Not sure if they are (all) snap related however…

gnome-shell[6748]: JS ERROR: TypeError: this._workspacesViews[i] is undefined#012_syncWorkspacesActualGeometry@resource:///org/gnome/shell/ui/workspacesView.js:782:13#012_updateWorkspacesActualGeometry@resource:///org/gnome/shell/ui/workspacesView.js
=== looks like a gnome-shell workspace issue ===

dbus-daemon[6077]: [session uid=1000 pid=6077] Activating service name=‘org.gnome.Nautilus’ requested by ‘:1.24’ (uid=1000 pid=6748 comm="/usr/bin/gnome-shell " label=“unconfined”)
=== not sure what Nautilus has to do with snap, but looks apparmor unconfines it. Not an error I think ===

kernel: [ 4154.687617] audit: type=1400 audit(1602192970.273:9661): apparmor=“DENIED” operation=“open” profile=“snap.snap-store.ubuntu-software” name="/var/lib/snapd/hostfs/usr/share/mime/mime.cache" pid=28733 comm=“snap-store” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0**
=== here apparmor denies snap-store (?) to open a mime.cache. Looking at my previous reply, do I have caching issues? ===

gnome-clocks[29346]: Theme parsing error: :1:0: Failed to import: The resource at “/org/gnome/clocks/css/gnome-clocks.yaru-dark.css” does not exist
=== Not important ===

gnome-shell[6748]: Received error from D-Bus search provider org.gnome.seahorse.Application.desktop during GetResultMetas: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.gnome.Shell.SearchProvider2” on object at path /org/gnome/seahorse/Application
gnome-shell[6748]: Wrong number of result metas returned by search provider org.gnome.seahorse.Application.desktop: expected 1 but got 0
=== Graphics issue? No complaints there, so lets leave this for now. ===

kernel: [ 5268.346963] audit: type=1400 audit(1602194083.943:11264): apparmor=“DENIED” operation=“open” profile=“snap.snap-store.ubuntu-software” name="/var/lib/snapd/hostfs/usr/share/mime/globs2" pid=29422 comm=“snap-store” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
=== … and a lot apparmor denied lines. It does not seam to have impact on the store. /var/lib/snapd/hostfs is an empty folder. ===

For me it looks like I can proceed to reinstall all snap packages which where removed during the “purge” :crossed_fingers:

Unless I should really look into one of the above errors, you may mark this issue as solved. Thanks for your help! :+1: