Ubuntu 18.04 fresh install apparmor blocking slack, spotify and vscode

Piegus · May 2, 2018, 1:57pm

I have freshly installed Ubuntu 18.04 LTS. My ubuntu account is connected with ldap. Unfortunately i cannot run any software that were installed through Programs and Applications…

I tried disabling the apparmor but I was getting: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I tried reistalling snapd and snap-confine. nothing

I tried adding my home directory to apparmor. Nothing

 ppiegza@ENPLAP-73:~$ pwd
 /home/enp.local/ppiegza
 ppiegza@ENPLAP-73:~$ cat /etc/apparmor.d/tunables/home.d/ubuntu
 # This file is auto-generated. It is recommended you update it using:
 # $ sudo dpkg-reconfigure apparmor
 #
 # The following is a space-separated list of where additional user home
 # directories are stored, each must have a trailing '/'. Directories added
 # here are appended to @{HOMEDIRS}.  See tunables/home for details.
 @{HOMEDIRS}+=/home/enp.local/ppiegza/

Comment #23 : Bug #1756793 : Bugs : snapd package : Ubuntu ← that didn’t help also.

ppiegza@ENPLAP-73:~$ slack
cannot create user data directory: /home/enp.local/ppiegza/snap/slack/6: Permission denied
ppiegza@ENPLAP-73:~$ sudo grep audit /var/log/kern.log |grep DENIED
[sudo] hasło użytkownika ppiegza:
May  2 11:21:23 ENPLAP-73 kernel: [  682.020057] audit: type=1400 audit(1525252883.377:1148): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:21:23 ENPLAP-73 kernel: [  682.039725] audit: type=1400 audit(1525252883.397:1149): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:21:23 ENPLAP-73 kernel: [  682.041015] audit: type=1400 audit(1525252883.397:1150): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:44:08 ENPLAP-73 kernel: [ 2047.412056] audit: type=1400 audit(1525254248.775:1453): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20834 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
May  2 11:44:12 ENPLAP-73 kernel: [ 2050.813526] audit: type=1400 audit(1525254252.176:1454): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20842 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
May  2 11:44:20 ENPLAP-73 kernel: [ 2058.985557] audit: type=1400 audit(1525254260.348:1455): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20854 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
ppiegza@ENPLAP-73:~$ slack
cannot create user data directory: /home/enp.local/ppiegza/snap/slack/6: Permission denied
ppiegza@ENPLAP-73:~$ sudo grep audit /var/log/kern.log |grep DENIED
May  2 11:21:23 ENPLAP-73 kernel: [  682.020057] audit: type=1400 audit(1525252883.377:1148): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:21:23 ENPLAP-73 kernel: [  682.039725] audit: type=1400 audit(1525252883.397:1149): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:21:23 ENPLAP-73 kernel: [  682.041015] audit: type=1400 audit(1525252883.397:1150): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=880 comm="cupsd" capability=12  capname="net_admin"
May  2 11:44:08 ENPLAP-73 kernel: [ 2047.412056] audit: type=1400 audit(1525254248.775:1453): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20834 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
May  2 11:44:12 ENPLAP-73 kernel: [ 2050.813526] audit: type=1400 audit(1525254252.176:1454): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20842 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
May  2 11:44:20 ENPLAP-73 kernel: [ 2058.985557] audit: type=1400 audit(1525254260.348:1455): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/home/enp.local/ppiegza/" pid=20854 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1384801278 ouid=1384801278
ppiegza@ENPLAP-73:~$

ppiegza@ENPLAP-73:~$ snap version snap 2.32.6 snapd 2.32.6 series 16 ubuntu 18.04 kernel 4.15.0-20-generic

ppiegza@ENPLAP-73:~$ sudo aa-status
apparmor module is loaded.
40 profiles are loaded.
34 profiles are in enforce mode.
   /sbin/dhclient
   /snap/core/4486/usr/lib/snapd/snap-confine
   /snap/core/4486/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/core/4571/usr/lib/snapd/snap-confine
   /snap/core/4571/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   docker-default
   libreoffice-senddoc
   libreoffice-senddoc//sanitized_helper
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   snap-update-ns.core
   snap-update-ns.slack
   snap.core.hook.configure
6 profiles are in complain mode.
   /usr/sbin/sssd
   /usr/sbin/sssd//null-/usr/bin/nsupdate
   /usr/sbin/sssd//null-/usr/sbin/adcli
   libreoffice-oopslash
   libreoffice-soffice
   snap.slack.slack
9 processes have profiles defined.
5 processes are in enforce mode.
   /sbin/dhclient (1696)
   /usr/sbin/cups-browsed (1141)
   /usr/sbin/cupsd (999)
   /usr/sbin/cupsd (1061)
   /usr/sbin/ntpd (1623)
4 processes are in complain mode.
   /usr/sbin/sssd (1775)
   /usr/sbin/sssd (1823)
   /usr/sbin/sssd (1842)
   /usr/sbin/sssd (1843)
0 processes are unconfined but have a profile defined.

Piegus · May 2, 2018, 2:23pm

Ok. I found out that my home dir was not properly configured.

ppiegza@ENPLAP-73:~$ cat /etc/apparmor.d/tunables/home.d/ubuntu
# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
@{HOMEDIRS}+=/home/enp.local/

this got me working!