Good tip, that tool does seem to give more tangible advice. It unfortunately does say a LOT.
13:29 jannek@ubuntu-20-04:~$ snappy-debug
^[[3~INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Mar 31 13:52:33
Log: apparmor="DENIED" operation="connect" profile="snap.pelion-edge.edge-core" name="/run/snapd.socket" pid=139799 comm="curl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/snapd.socket (write)
= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="connect" profile="snap.pelion-edge.edge-core" name="/run/snapd.socket" pid=139832 comm="curl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/snapd.socket (write)
= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/139837/mountinfo" pid=139837 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139837/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/139837/mounts" pid=139837 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139837/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:35
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/139347/uid_map" pid=139347 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139347/uid_map (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/uid_map'
* add 'steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:35
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/139347/mountinfo" pid=139347 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139347/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= Seccomp =
Time: Mar 31 13:52:35
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139347 comm="dockerd" exe="/snap/pelion-edge/x1/bin/dockerd" sig=0 arch=c000003e 260(fchownat) compat=0 ip=0x563293deba4a code=0x50000
Syscall: fchownat
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchownat'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)
= Seccomp =
Time: Mar 31 13:52:36
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139879 comm="mount" exe="/snap/pelion-edge/x1/bin/mount" sig=0 arch=c000003e 165(mount) compat=0 ip=0x7f7688369c7e code=0x50000
Syscall: mount
Suggestion:
* add one of 'cifs-mount, fuse-support, mount-control, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:36
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/run/mount/utab" pid=139880 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/mount/utab (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'mount-observe' to 'plugs'
= Seccomp =
Time: Mar 31 13:52:36
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139880 comm="umount" exe="/snap/pelion-edge/x1/bin/umount" sig=0 arch=c000003e 166(umount2) compat=0 ip=0x7f818574916b code=0x50000
Syscall: umount2
Suggestion:
* add one of 'cifs-mount, mount-control, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:56
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140491/mountinfo" pid=140491 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140491/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:52:56
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140491/mounts" pid=140491 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140491/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:06
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140594/mountinfo" pid=140594 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140594/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:06
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140594/mounts" pid=140594 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140594/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:16
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140698/mountinfo" pid=140698 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140698/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:16
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140698/mounts" pid=140698 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140698/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:26
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140789/mountinfo" pid=140789 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140789/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
= AppArmor =
Time: Mar 31 13:53:26
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140789/mounts" pid=140789 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140789/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'