[apparmor] Snaps are blocked by Apparmor on Ubuntu 22.04

John Johansen john.johansen at canonical.com
Tue Nov 15 22:55:16 UTC 2022 

On 11/15/22 13:23, Sonixxfx wrote:
> Op di 15 nov. 2022 om 19:08 schreef Sonixxfx <sonixxfx at gmail.com <mailto:sonixxfx at gmail.com>
> 
> Sorry for mailing to you directly John.
> 
>     Op di 15 nov. 2022 om 18:06 schreef John Johansen <john.johansen at canonical.com <mailto:john.johansen at canonical.com>>:
> 
>         On 11/15/22 06:30, Sonixxfx wrote:
>          > Hi,
>          >
>          > I was trying Apparmor today, but now my snaps won't run anymore. I have tried a couple of things to solve it, including disabling Apparmor, but it didn't help.
>          > When i try to start Brave for example dmesg shows me:
>          >
> 
>         how did you disable apparmor?
> 
>         systemctl disable apparmor
> 
>         or
> 
>         systemctl disable snapd.apparmor
> 
>         or
> 
>         systemctl stop apparmor
> 
>         or did you edit /etc/grub/defaults
> 
> 
>     I ran
> 
>     sudo systemctl stop apparmor.service
> 
this will unload policy and make everything unconfined until reboot or the service is started again. It is important to note that restarting the service will NOT re-confine applications that are unconfined. They must be restarted.

>     to disable Apparmor.
> 
>     I ran
> 
>     sudo systemctl disable apparmor.service
> 
>     to unload the kernel module.
this does not unload the kernel module, as apparmor is built into the kernel. At this time there is no option to make an of the LSMs loadable modules. What this does is partially disable systemd services that load policy/manage state.

Partially because it only does late stage service disabling, there is early stage that can still run (not used by default on Ubuntu) and this can really mess up your system.

> 
> 
>     Should I have run:
> 
>     sudo systemctl disable snapd.apparmor ?
> 
no the only safe way to disable apparmor is to set apparmor=0 as a kernel parameter, you can do this temporarily in grub when booting or in /etc/defaults/grub and the update-grub

>          > brave_brave.desktop[9095]: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
>          > brave_brave.desktop[9095]: Please make sure that the snapd.apparmor service is enabled and started.
>          >
>          > These messages are also shown when I have Apparmor enabled and started.
>          >
> 
>         what does aa-status return?
> 
> 
>     I have already reinstalled my OS, sorry. But I am curious what you answer to my question.
> 
>          > Can someone tell me how I can resolve this?
>          >
> 
>         so snaps by-pass the apparmor userspace service and only use the kernel component. They run their own service to manage snap confinement. What do you get for
> 
>         systemctl status snapd.apparmor
> 
> 
>         and of course if it is not running you can do
> 
>         systemctl start snapd.apparmor
> 
>         or make sure it runs after reboot
> 
>         systemctl enable snapd.apparmor
> 
> 
>     Thanks for the info 😃
>

More information about the AppArmor mailing list