Unable to run snaps, apparmor denials

dhoomakethu · December 16, 2022, 4:18pm

Hello,

We are having issues with one of our IOT edge gateways running Ubuntu core 16 after a snapd refresh. Every snap command is failing with

cannot create /tmp/snap-private-tmp: Permission denied

Seeing this in the logs.

Dec 16 11:14:11 HOSTNAME audit[30285]: AVC apparmor="DENIED" operation="mkdir" profile="/usr/lib/snapd/snap-confine" name="/tmp/snap-private-tmp/" pid=30285 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Dec 16 11:14:11 HOSTNAME kernel: audit: type=1400 audit(1671207251.339:2103): apparmor="DENIED" operation="mkdir" profile="/usr/lib/snapd/snap-confine" name="/tmp/snap-private-tmp/" pid=30285 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Any idea what could be happening here?

Host information

admin@GSX1B02:~$ hostnamectl
   Static hostname: XXXXXX
         Icon name: computer-laptop
           Chassis: laptop
        Machine ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
           Boot ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Operating System: Ubuntu Core 16
            Kernel: Linux 4.4.0-151-generic
      Architecture: x86-64

Snap info

$ snap version
snap    2.50.1
snapd   2.57.6
series  16
kernel  4.4.0-151-generic

dhoomakethu · December 19, 2022, 4:50am

I had to re-install all snaps after snapd install to get them working again. Sounds like a bug with snapd.

dhoomakethu · December 19, 2022, 5:14am

Actually not all snaps are restored with re-installs.

$ sudo snap info --verbose curl
name:    curl
summary: CLI tool for transferring data with URL syntax (HTTP, HTTPS, etc)
health:
  status:  unknown
  message: health has not been set
publisher: Wouter van Bommel (woutervb)
store-url: https://snapcraft.io/curl
contact:   https://github.com/woutervb/snap-curl
license:   curl
description: |
  A command line tool and library for transferring data with URL syntax,
  supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET,
  DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3, RTSP and RTMP.
  libcurl offers a myriad of powerful features
commands:
  - curl
notes:
  private:           false
  confinement:       strict
  devmode:           false
  jailmode:          false
  trymode:           false
  enabled:           true
  broken:            false
  ignore-validation: false
base:         core20
snap-id:      jFJhGxzO7zh4xPun3oLzsYPesPvyGblh
tracking:     latest/stable
refresh-date: today at 00:07 EST
channels:
  latest/stable:    7.86.0 2022-11-03 (1256) 6MB -
  latest/candidate: 7.86.0 2022-11-03 (1256) 6MB -
  latest/beta:      ↑
  latest/edge:      7.86.0 2022-12-18 (1365) 6MB -
installed:          7.86.0            (1256) 6MB -
$ sudo curl --help
cannot open /tmp/snap-private-tmp: Permission denied
$ curl --help
cannot open /tmp/snap-private-tmp: Permission denied
$

dhoomakethu · December 20, 2022, 5:30am

Here is the debug logs.

$ sudo snap run --debug-log --strace=--raw curl -h
2022/12/20 10:51:04.276141 cmd_run.go:488: DEBUG: enabled debug logging of early snap startup
2022/12/20 10:51:04.281433 cmd_run.go:1037: DEBUG: executing snap-confine from /usr/lib/snapd/snap-confine
2022/12/20 10:51:04.314274 cmd_run.go:440: DEBUG: SELinux not enabled
2022/12/20 10:51:04.314605 tracking.go:46: DEBUG: creating transient scope snap.curl.curl
2022/12/20 10:51:04.314752 tracking.go:189: DEBUG: session bus is not available: cannot find session bus
2022/12/20 10:51:04.314812 tracking.go:191: DEBUG: falling back to system bus
2022/12/20 10:51:04.320566 tracking.go:196: DEBUG: using system bus now, session bus was not available
2022/12/20 10:51:04.625827 tracking.go:319: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/380978
2022/12/20 10:51:04.638186 tracking.go:146: DEBUG: waited 317.233158ms for tracking
2022/12/20 10:51:04.638516 logger.go:184: DEBUG: -- snap startup {"stage":"snap to snap-confine", "time":"1671513664.638261"}
execve("/usr/lib/snapd/snap-confine", ["/usr/lib/snapd/snap-confine", "snap.curl.curl", "/usr/lib/snapd/snap-exec", "curl", "-h"], 0x7fff4ce57c58 /* 34 vars */) = 0
brk(NULL)                               = 0x1190000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15770, ...}) = 0
mmap(NULL, 15770, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd856a80000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libudev.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=126840, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd856a7f000
mmap(NULL, 130656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd856a5f000
mmap(0x7fd856a7d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d000) = 0x7fd856a7d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd85665b000
mprotect(0x7fd85665e000, 2093056, PROT_NONE) = 0
mmap(0x7fd85685d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fd85685d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260`\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=138696, ...}) = 0
mmap(NULL, 2212904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd85643e000
mprotect(0x7fd856456000, 2093056, PROT_NONE) = 0
mmap(0x7fd856655000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7fd856655000
mmap(0x7fd856657000, 13352, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd856657000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd856a5e000
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd856074000
mprotect(0x7fd856234000, 2097152, PROT_NONE) = 0
mmap(0x7fd856434000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7fd856434000
mmap(0x7fd85643a000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd85643a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0!\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31712, ...}) = 0
mmap(NULL, 2128832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd855e6c000
mprotect(0x7fd855e73000, 2093056, PROT_NONE) = 0
mmap(0x7fd856072000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fd856072000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd856a5d000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd856a5b000
arch_prctl(ARCH_SET_FS, 0x7fd856a5b740) = 0
mprotect(0x7fd856434000, 16384, PROT_READ) = 0
mprotect(0x7fd856655000, 4096, PROT_READ) = 0
mprotect(0x7fd856072000, 4096, PROT_READ) = 0
mprotect(0x7fd85685d000, 4096, PROT_READ) = 0
mprotect(0x7fd856a7d000, 4096, PROT_READ) = 0
mprotect(0x61c000, 4096, PROT_READ)     = 0
mprotect(0x7fd856a84000, 4096, PROT_READ) = 0
munmap(0x7fd856a80000, 15770)           = 0
set_tid_address(0x7fd856a5ba10)         = 14859
set_robust_list(0x7fd856a5ba20, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7fd856443b50, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7fd856443be0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "-- snap startup {\"stage\":\"snap-c"..., 74-- snap startup {"stage":"snap-confine enter", "time":"1671513667.364362"}) = 74
write(2, "\n", 1
)                       = 1
brk(NULL)                               = 0x1190000
brk(0x11b1000)                          = 0x11b1000
umask(000)                              = 022
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "umask reset, old umask was  022", 31umask reset, old umask was  022) = 31
write(2, "\n", 1
)                       = 1
openat(AT_FDCWD, ".", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
chdir("/")                              = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "security tag: snap.curl.curl", 28security tag: snap.curl.curl) = 28
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "executable:   /usr/lib/snapd/sna"..., 38executable:   /usr/lib/snapd/snap-exec) = 38
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "confinement:  non-classic", 25confinement:  non-classic) = 25
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "base snap:    core", 18base snap:    core)      = 18
write(2, "\n", 1
)                       = 1
getresuid([0], [0], [0])                = 0
getresgid([0], [0], [0])                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "ruid: 0, euid: 0, suid: 0", 25ruid: 0, euid: 0, suid: 0) = 25
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "rgid: 0, egid: 0, sgid: 0", 25rgid: 0, egid: 0, sgid: 0) = 25
write(2, "\n", 1
)                       = 1
open("/var/lib/snapd/cookie/snap.curl", O_RDONLY|O_NOFOLLOW|O_CLOEXEC) = 4
read(4, "FPV7vv6mk8JqyNs4wgHQw1KWF0qdg6sv"..., 254) = 44
close(4)                                = 0
open("/proc/mounts", O_RDONLY|O_CLOEXEC) = 4
futex(0x7fd85643b008, FUTEX_WAKE_PRIVATE, 2147483647) = 0
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(4, "sysfs /sys sysfs rw,nosuid,nodev"..., 1024) = 1024
read(4, "ata=ordered 0 0\n/dev/mmcblk0p4 /"..., 1024) = 1024
read(4, "v/mmcblk0p4 /etc/systemd/network"..., 1024) = 1024
read(4, "dev/mmcblk0p4 /etc/systemd/times"..., 1024) = 1024
stat("/sys/kernel/security/apparmor", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
close(4)                                = 0
open("/proc/14859/attr/current", O_RDONLY) = 4
read(4, "/usr/lib/snapd/snap-confine (enf"..., 128) = 38
read(4, "", 90)                         = 0
close(4)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "apparmor label on snap-confine i"..., 62apparmor label on snap-confine is: /usr/lib/snapd/snap-confine) = 62
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "apparmor mode is: enforce", 25apparmor mode is: enforce) = 25
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "-- snap startup {\"stage\":\"snap-c"..., 90-- snap startup {"stage":"snap-confine mount namespace start", "time":"1671513667.470701"}) = 90
write(2, "\n", 1
)                       = 1
open("/proc/1/ns/mnt", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
open("/proc/self/ns/mnt", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
readlinkat(4, "", "mnt:[4026531840]", 128) = 16
readlinkat(5, "", "mnt:[4026531840]", 128) = 16
close(5)                                = 0
close(4)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "creating lock directory /run/sna"..., 52creating lock directory /run/snapd/lock (if missing)) = 52
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
open("/", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
mkdirat(4, "run", 0755)                 = -1 EEXIST (File exists)
openat(4, "run", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 5
close(4)                                = 0
mkdirat(5, "snapd", 0755)               = -1 EEXIST (File exists)
openat(5, "snapd", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
close(5)                                = 0
mkdirat(4, "lock", 0755)                = -1 EEXIST (File exists)
openat(4, "lock", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 5
close(4)                                = 0
close(5)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opening lock directory /run/snap"..., 38opening lock directory /run/snapd/lock) = 38
write(2, "\n", 1
)                       = 1
open("/run/snapd/lock", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opening lock file: /run/snapd/lo"..., 40opening lock file: /run/snapd/lock/.lock) = 40
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
openat(4, ".lock", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC, 0600) = 5
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
close(4)                                = 0
rt_sigaction(SIGALRM, {sa_handler=0x40c6c0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
alarm(30)                               = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "sanity timeout initialized and s"..., 49sanity timeout initialized and set for 30 seconds) = 49
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "acquiring exclusive lock (scope "..., 48acquiring exclusive lock (scope (global), uid 0)) = 48
write(2, "\n", 1
)                       = 1
flock(5, LOCK_EX)                       = 0
alarm(0)                                = 30
rt_sigaction(SIGALRM, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "sanity timeout reset and disable"..., 33sanity timeout reset and disabled) = 33
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "ensuring that snap mount directo"..., 44ensuring that snap mount directory is shared) = 44
write(2, "\n", 1
)                       = 1
open("/proc/self/mountinfo", O_RDONLY)  = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(4, "18 24 0:17 / /sys rw,nosuid,node"..., 1024) = 1024
read(4, "=ordered\n30 24 179:4 /system-dat"..., 1024) = 1024
read(4, "xt4 /dev/mmcblk0p4 rw,data=order"..., 1024) = 1024
read(4, "=ordered\n47 24 179:4 /system-dat"..., 1024) = 1024
read(4, "c/iproute2 /etc/iproute2 rw,rela"..., 1024) = 1024
read(4, " rw,data=ordered\n65 24 179:4 /sy"..., 1024) = 1024
read(4, "ed:54 - tmpfs tmpfs rw\n74 22 0:2"..., 1024) = 1024
read(4, "- cgroup cgroup rw,perf_event,re"..., 1024) = 1024
read(4, "latime shared:74 - mqueue mqueue"..., 1024) = 1024
read(4, "var/lib/systemd /var/lib/systemd"..., 1024) = 1024
read(4, "tem-data/var/lib/dhcp /var/lib/d"..., 1024) = 1024
read(4, "oop2 ro\n280 23 7:2 / /writable/s"..., 1024) = 1024
read(4, "-agent/x63 ro,nodev,relatime sha"..., 1024) = 1024
read(4, "2 ro\n324 248 7:14 / /snap/3g-wat"..., 1024) = 1024
read(4, "ge/x92 ro,nodev,relatime shared:"..., 1024) = 1024
read(4, "squashfs /dev/loop23 ro\n364 23 7"..., 1024) = 1024
read(4, "ev/loop28 ro\n384 23 7:28 / /writ"..., 1024) = 1024
read(4, "ta/snap/modem-manager/222 ro,nod"..., 1024) = 1024
read(4, "tinel/x34 ro,nodev,relatime shar"..., 1024) = 1024
read(4, "e shared:363 - squashfs /dev/loo"..., 1024) = 1024
read(4, "ime shared:378 - squashfs /dev/l"..., 1024) = 1024
read(4, "p52 ro\n485 248 7:55 / /snap/nmap"..., 1024) = 1024
read(4, "nap/bluez/296 ro,nodev,relatime "..., 1024) = 1024
read(4, "red:426 - squashfs /dev/loop63 r"..., 1024) = 1024
read(4, "/loop69 ro\n548 23 7:69 / /writab"..., 1024) = 1024
read(4, "a/snap/jq/6 ro,nodev,relatime sh"..., 1024) = 1024
read(4, ",relatime shared:471 - squashfs "..., 1024) = 1024
read(4, "\n611 248 7:85 / /snap/brightedge"..., 1024) = 1024
read(4, "ap-agent/x62 ro,nodev,relatime s"..., 1024) = 1024
read(4, "me shared:519 - squashfs /dev/lo"..., 1024) = 1024
read(4, "x7 ro,nodev,relatime shared:534 "..., 1024) = 1024
read(4, "ed:270 - squashfs /dev/loop12 ro"..., 1024) = 657
read(4, "", 1024)                       = 0
close(4)                                = 0
open("/var/lib/snapd/features", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
newfstatat(4, "parallel-instances", 0x7ffe04a4ea10, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory)
close(4)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "unsharing snap namespace directo"..., 34unsharing snap namespace directory) = 34
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
open("/", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
mkdirat(4, "run", 0755)                 = -1 EEXIST (File exists)
openat(4, "run", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 6
close(4)                                = 0
mkdirat(6, "snapd", 0755)               = -1 EEXIST (File exists)
openat(6, "snapd", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
close(6)                                = 0
mkdirat(4, "ns", 0755)                  = -1 EEXIST (File exists)
openat(4, "ns", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 6
close(4)                                = 0
close(6)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
open("/proc/self/mountinfo", O_RDONLY)  = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(4, "18 24 0:17 / /sys rw,nosuid,node"..., 1024) = 1024
read(4, "=ordered\n30 24 179:4 /system-dat"..., 1024) = 1024
read(4, "xt4 /dev/mmcblk0p4 rw,data=order"..., 1024) = 1024
read(4, "=ordered\n47 24 179:4 /system-dat"..., 1024) = 1024
read(4, "c/iproute2 /etc/iproute2 rw,rela"..., 1024) = 1024
read(4, " rw,data=ordered\n65 24 179:4 /sy"..., 1024) = 1024
read(4, "ed:54 - tmpfs tmpfs rw\n74 22 0:2"..., 1024) = 1024
read(4, "- cgroup cgroup rw,perf_event,re"..., 1024) = 1024
read(4, "latime shared:74 - mqueue mqueue"..., 1024) = 1024
read(4, "var/lib/systemd /var/lib/systemd"..., 1024) = 1024
read(4, "tem-data/var/lib/dhcp /var/lib/d"..., 1024) = 1024
read(4, "oop2 ro\n280 23 7:2 / /writable/s"..., 1024) = 1024
read(4, "-agent/x63 ro,nodev,relatime sha"..., 1024) = 1024
read(4, "2 ro\n324 248 7:14 / /snap/3g-wat"..., 1024) = 1024
read(4, "ge/x92 ro,nodev,relatime shared:"..., 1024) = 1024
read(4, "squashfs /dev/loop23 ro\n364 23 7"..., 1024) = 1024
read(4, "ev/loop28 ro\n384 23 7:28 / /writ"..., 1024) = 1024
read(4, "ta/snap/modem-manager/222 ro,nod"..., 1024) = 1024
read(4, "tinel/x34 ro,nodev,relatime shar"..., 1024) = 1024
read(4, "e shared:363 - squashfs /dev/loo"..., 1024) = 1024
read(4, "ime shared:378 - squashfs /dev/l"..., 1024) = 1024
read(4, "p52 ro\n485 248 7:55 / /snap/nmap"..., 1024) = 1024
read(4, "nap/bluez/296 ro,nodev,relatime "..., 1024) = 1024
read(4, "red:426 - squashfs /dev/loop63 r"..., 1024) = 1024
read(4, "/loop69 ro\n548 23 7:69 / /writab"..., 1024) = 1024
read(4, "a/snap/jq/6 ro,nodev,relatime sh"..., 1024) = 1024
read(4, ",relatime shared:471 - squashfs "..., 1024) = 1024
read(4, "\n611 248 7:85 / /snap/brightedge"..., 1024) = 1024
read(4, "ap-agent/x62 ro,nodev,relatime s"..., 1024) = 1024
read(4, "me shared:519 - squashfs /dev/lo"..., 1024) = 1024
read(4, "x7 ro,nodev,relatime shared:534 "..., 1024) = 1024
read(4, "ed:270 - squashfs /dev/loop12 ro"..., 1024) = 657
read(4, "", 1024)                       = 0
close(4)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "releasing lock 5", 16releasing lock 5)        = 16
write(2, "\n", 1
)                       = 1
flock(5, LOCK_UN)                       = 0
close(5)                                = 0
readlink("/proc/self/exe", "/usr/lib/snapd/snap-confine", 4096) = 27
open("/usr/lib/snapd", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
openat(4, "snap-update-ns", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opened snap-update-ns executable"..., 53opened snap-update-ns executable as file descriptor 5) = 53
write(2, "\n", 1
)                       = 1
close(4)                                = 0
readlink("/proc/self/exe", "/usr/lib/snapd/snap-confine", 4096) = 27
open("/usr/lib/snapd", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
openat(4, "snap-discard-ns", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 6
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opened snap-discard-ns executabl"..., 54opened snap-discard-ns executable as file descriptor 6) = 54
write(2, "\n", 1
)                       = 1
close(4)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "creating lock directory /run/sna"..., 52creating lock directory /run/snapd/lock (if missing)) = 52
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
open("/", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
mkdirat(4, "run", 0755)                 = -1 EEXIST (File exists)
openat(4, "run", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 7
close(4)                                = 0
mkdirat(7, "snapd", 0755)               = -1 EEXIST (File exists)
openat(7, "snapd", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 4
close(7)                                = 0
mkdirat(4, "lock", 0755)                = -1 EEXIST (File exists)
openat(4, "lock", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = 7
close(4)                                = 0
close(7)                                = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opening lock directory /run/snap"..., 38opening lock directory /run/snapd/lock) = 38
write(2, "\n", 1
)                       = 1
open("/run/snapd/lock", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "opening lock file: /run/snapd/lo"..., 44opening lock file: /run/snapd/lock/curl.lock) = 44
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
openat(4, "curl.lock", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC, 0600) = 7
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
close(4)                                = 0
rt_sigaction(SIGALRM, {sa_handler=0x40c6c0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
alarm(30)                               = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "sanity timeout initialized and s"..., 49sanity timeout initialized and set for 30 seconds) = 49
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "acquiring exclusive lock (scope "..., 44acquiring exclusive lock (scope curl, uid 0)) = 44
write(2, "\n", 1
)                       = 1
flock(7, LOCK_EX)                       = 0
alarm(0)                                = 30
rt_sigaction(SIGALRM, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "sanity timeout reset and disable"..., 33sanity timeout reset and disabled) = 33
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "initializing mount namespace: cu"..., 34initializing mount namespace: curl) = 34
write(2, "\n", 1
)                       = 1
open("/run/snapd/ns", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
access("/snap/core/current", F_OK)      = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "setting up device cgroup", 24setting up device cgroup) = 24
write(2, "\n", 1
)                       = 1
futex(0x7fd85685e0a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "cannot find current tags symbol:"..., 114cannot find current tags symbol: /lib/x86_64-linux-gnu/libudev.so.1: undefined symbol: udev_device_has_current_tag) = 114
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "no current tags support present", 31no current tags support present) = 31
write(2, "\n", 1
)                       = 1
open("/etc/udev/udev.conf", O_RDONLY|O_CLOEXEC) = 8
fstat(8, {st_mode=S_IFREG|0644, st_size=153, ...}) = 0
read(8, "# see udev.conf(5) for details\n#"..., 1024) = 153
read(8, "", 1024)                       = 0
close(8)                                = 0
getrandom("\x15\xcd\xa6\x68\xa0\xb8\xe3\x00\x13\xf7\x2b\xef\xe5\x00\xda\x5b", 16, GRND_NONBLOCK) = 16
open("/run/udev/tags/snap_curl_curl", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "no devices tagged with snap_curl"..., 67no devices tagged with snap_curl_curl, skipping device cgroup setup) = 67
write(2, "\n", 1
)                       = 1
open("/etc/os-release", O_RDONLY)       = 8
fstat(8, {st_mode=S_IFREG|0644, st_size=179, ...}) = 0
read(8, "NAME=\"Ubuntu Core\"\nVERSION=\"16\"\n"..., 1024) = 179
read(8, "", 1024)                       = 0
close(8)                                = 0
pipe2([8, 9], O_DIRECT|O_CLOEXEC)       = 0
pipe2([10, 11], O_DIRECT|O_CLOEXEC)     = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fd856a5ba10) = 14890
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fd8560a94c0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
close(8)                                = 0
close(11)                               = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "forked support process 14890", 28forked support process 14890) = 28
write(2, "\n", 1
)                       = 1
openat(4, "curl.mnt", O_RDONLY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "unsharing the mount namespace (p"..., 40unsharing the mount namespace (per-snap)) = 40
write(2, "\n", 1
)                       = 1
unshare(CLONE_NEWNS)                    = 0
open("/etc/os-release", O_RDONLY)       = 8
fstat(8, {st_mode=S_IFREG|0644, st_size=179, ...}) = 0
read(8, "NAME=\"Ubuntu Core\"\nVERSION=\"16\"\n"..., 1024) = 179
read(8, "", 1024)                       = 0
close(8)                                = 0
mkdir("/tmp/snap.rootfs_qGQ2Z2", 0700)  = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "scratch directory for constructi"..., 69scratch directory for constructing namespace: /tmp/snap.rootfs_qGQ2Z2) = 69
write(2, "\n", 1
)                       = 1
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
write(2, "\n", 1
)                       = 1
mount("none", "/", NULL, MS_REC|MS_SHARED, NULL) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
write(2, "\n", 1
)                       = 1
mount("/tmp/snap.rootfs_qGQ2Z2", "/tmp/snap.rootfs_qGQ2Z2", NULL, MS_BIND, NULL) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
write(2, "\n", 1
)                       = 1
mount("none", "/tmp/snap.rootfs_qGQ2Z2", NULL, MS_UNBINDABLE, NULL) = 0
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
write(2, "\n", 1
)                       = 1
mount("/", "/tmp/snap.rootfs_qGQ2Z2", NULL, MS_BIND|MS_REC, NULL) = 0
/snap/strace-static/current/bin/strace: Process 14890 attached
[pid 14859] write(2, "DEBUG: ", 7DEBUG:  <unfinished ...>
[pid 14890] set_robust_list(0x7fd856a5ba20, 24 <unfinished ...>
[pid 14859] <... write resumed> )       = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63 <unfinished ...>
[pid 14890] <... set_robust_list resumed> ) = 0
performing operation: (disabled) use debug build to see details[pid 14859] <... write resumed> )       = 63
[pid 14890] close(9 <unfinished ...>
[pid 14859] write(2, "\n", 1 <unfinished ...>
[pid 14890] <... close resumed> )       = 0

[pid 14859] <... write resumed> )       = 1
[pid 14890] close(10 <unfinished ...>
[pid 14859] mount("none", "/tmp/snap.rootfs_qGQ2Z2", NULL, MS_REC|MS_SLAVE, NULL <unfinished ...>
[pid 14890] <... close resumed> )       = 0
[pid 14859] <... mount resumed> )       = 0
[pid 14890] write(2, "DEBUG: ", 7DEBUG:  <unfinished ...>
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14890] <... write resumed> )       = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14890] write(2, "changing apparmor hat to mount-n"..., 55changing apparmor hat to mount-namespace-capture-helper <unfinished ...>
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] mkdir("/media", 0755)       = -1 EEXIST (File exists)
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("/media", "/tmp/snap.rootfs_qGQ2Z2//media", NULL, MS_BIND|MS_REC, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] mkdir("/run/netns", 0755)   = -1 EEXIST (File exists)
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("/run/netns", "/tmp/snap.rootfs_qGQ2Z2//run/netns", NULL, MS_BIND|MS_REC, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] mkdir("/var/lib/snapd/hostfs", 0755) = -1 EEXIST (File exists)
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] stat("/var/lib/snapd/hostfs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("/tmp/snap.rootfs_qGQ2Z2//var/lib/snapd/hostfs", "/tmp/snap.rootfs_qGQ2Z2//var/lib/snapd/hostfs", NULL, MS_BIND, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("none", "/tmp/snap.rootfs_qGQ2Z2//var/lib/snapd/hostfs", NULL, MS_PRIVATE, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: pivot_root"..., 102performing operation: pivot_root /tmp/snap.rootfs_qGQ2Z2 /tmp/snap.rootfs_qGQ2Z2//var/lib/snapd/hostfs) = 102
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] pivot_root("/tmp/snap.rootfs_qGQ2Z2", "/tmp/snap.rootfs_qGQ2Z2//var/lib/snapd/hostfs") = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/var/lib/snapd/hostfs//tmp/snap.rootfs_qGQ2Z2", UMOUNT_NOFOLLOW <unfinished ...>
[pid 14890] <... write resumed> )       = 55
[pid 14890] write(2, "\n", 1
)           = 1
[pid 14890] open("/proc/14890/attr/current", O_WRONLY) = 9
[pid 14890] write(9, "changehat 0000000000000000^mount"..., 57) = 57
[pid 14890] close(9)                    = 0
[pid 14890] prctl(PR_SET_PDEATHSIG, SIGINT) = 0
[pid 14890] kill(14859, SIG_0)          = 0
[pid 14890] fchdir(4)                   = 0
[pid 14890] write(2, "DEBUG: ", 7DEBUG:  <unfinished ...>
[pid 14859] <... umount2 resumed> )     = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: rmdir /var"..., 73performing operation: rmdir /var/lib/snapd/hostfs//tmp/snap.rootfs_qGQ2Z2) = 73
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] rmdir("/tmp/snap.rootfs_qGQ2Z2") = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("none", "/var/lib/snapd/hostfs", NULL, MS_REC|MS_SLAVE, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/var/lib/snapd/hostfs/sys", MNT_DETACH|UMOUNT_NOFOLLOW <unfinished ...>
[pid 14890] <... write resumed> )       = 7
[pid 14890] write(2, "helper process waiting for comma"..., 34helper process waiting for command) = 34
[pid 14890] write(2, "\n", 1
)           = 1
[pid 14890] rt_sigaction(SIGALRM, {sa_handler=0x40c6c0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fd85644f390}, NULL, 8) = 0
[pid 14890] alarm(30)                   = 0
[pid 14890] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14890] write(2, "sanity timeout initialized and s"..., 49sanity timeout initialized and set for 30 seconds) = 49
[pid 14890] write(2, "\n", 1
)           = 1
[pid 14890] read(8,  <unfinished ...>
[pid 14859] <... umount2 resumed> )     = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/var/lib/snapd/hostfs/dev", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/var/lib/snapd/hostfs/proc", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "detaching /var/lib/snapd/hostfs/"..., 40detaching /var/lib/snapd/hostfs/writable) = 40
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("none", "/var/lib/snapd/hostfs/writable", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/var/lib/snapd/hostfs/writable", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "detaching /writable", 19detaching /writable) = 19
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] mount("none", "/writable", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "performing operation: (disabled)"..., 63performing operation: (disabled) use debug build to see details) = 63
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] umount2("/writable", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
[pid 14859] write(2, "DEBUG: ", 7DEBUG: )      = 7
[pid 14859] write(2, "set_effective_identity uid:0 (ch"..., 62set_effective_identity uid:0 (change: no), gid:0 (change: yes)) = 62
[pid 14859] write(2, "\n", 1
)           = 1
[pid 14859] getegid()                   = 0
[pid 14859] setresgid(-1, 0, -1)        = 0
[pid 14859] getegid()                   = 0
[pid 14859] mkdir("/tmp/snap-private-tmp", 0700) = -1 EEXIST (File exists)
[pid 14859] open("/tmp/snap-private-tmp", O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC) = -1 EACCES (Permission denied)
[pid 14859] write(2, "cannot open /tmp/snap-private-tm"..., 33cannot open /tmp/snap-private-tmp) = 33
[pid 14859] write(2, ": Permission denied\n", 20: Permission denied
) = 20
[pid 14859] exit_group(1)               = ?
[pid 14859] +++ exited with 1 +++
<... read resumed> "", 4)               = 0
--- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=14859, si_uid=0} ---
+++ killed by SIGINT +++
error: exit status 1

I see snap-private-tmp directory is created with necessary permissions.

$ sudo ls -ld /tmp/snap-private-tmp/
drwx------ 2 root root 40 Dec 20 10:43 /tmp/snap-private-tmp/

dhoomakethu · January 13, 2023, 4:51pm

Still facing this issue every once in a while, a reboot would still get the snaps to unusable state!!.

m4rkw · February 7, 2023, 12:33pm

This is caused by dpkg upgrading snap and you haven’t run the dkpg thing to install the new package files, specifically there’s a new apparmor profile for /usr/lib/snapd/snap-confine. See my post here for the fix:

https://askubuntu.com/questions/1420959/cant-launch-chromium-from-snap/1453902#1453902

basically just:

sudo mv -f usr.lib.snapd.snap-confine.real.dpkg-new /etc/apparmor.d/usr.lib.snapd.snap-confine.real
sudo systemctl restart apparmor