[apparmor] Snaps are blocked by Apparmor on Ubuntu 22.04

Wed Nov 16 08:57:11 UTC 2022

Op di 15 nov. 2022 om 23:53 schreef John Johansen <
john.johansen at canonical.com>:

> On 11/15/22 10:08, Sonixxfx wrote:
> > Op di 15 nov. 2022 om 18:06 schreef John Johansen <
> john.johansen at canonical.com <mailto:john.johansen at canonical.com>>:
> >
> >     On 11/15/22 06:30, Sonixxfx wrote:
> >      > Hi,
> >      >
> >      > I was trying Apparmor today, but now my snaps won't run anymore.
> I have tried a couple of things to solve it, including disabling Apparmor,
> but it didn't help.
> >      > When i try to start Brave for example dmesg shows me:
> >      >
> >
> >     how did you disable apparmor?
> >
> >     systemctl disable apparmor
> >
> >     or
> >
> >     systemctl disable snapd.apparmor
> >
> >     or
> >
> >     systemctl stop apparmor
> >
> >     or did you edit /etc/grub/defaults
> >
> >
> > I ran
> >
> > sudo systemctl stop apparmor.service
> >
> this will unload policy and make everything unconfined until reboot or the
> service is started again. It is important to note that restarting the
> service will NOT re-confine applications that are unconfined. They must be
> restarted.
>
> > to disable Apparmor.
> >
> > I ran
> >
> > sudo systemctl disable apparmor.service
> >
> > to unload the kernel module.
>
> this does not unload the kernel module, as apparmor is built into the
> kernel. At this time there is no option to make an of the LSMs loadable
> modules. What this does is partially disable systemd services that load
> policy/manage state.
>
> Partially because it only does late stage service disabling, there is
> early stage that can still run (not used by default on Ubuntu) and this can
> really mess up your system.
> >
> >
> > Should I have run:
> >
> > sudo systemctl disable snapd.apparmor ?
> >
>
> no the only safe way to disable apparmor is to set apparmor=0 as a kernel
> parameter, you can do this temporarily in grub when booting or in
> /etc/defaults/grub and the update-grub
>
>
>
Oke, thanks.

> >      > brave_brave.desktop[9095]: snap-confine has elevated permissions
> and is not confined but should be. Refusing to continue to avoid permission
> escalation attacks
> >      > brave_brave.desktop[9095]: Please make sure that the
> snapd.apparmor service is enabled and started.
> >      >
> >      > These messages are also shown when I have Apparmor enabled and
> started.
> >      >
> >
> >     what does aa-status return?
> >
> >
> > I have already reinstalled my OS, sorry. But I am curious what you
> answer to my question.
> >
> >      > Can someone tell me how I can resolve this?
> >      >
> >
> >     so snaps by-pass the apparmor userspace service and only use the
> kernel component. They run their own service to manage snap confinement.
> What do you get for
> >
> >     systemctl status snapd.apparmor
> >
> >
> >     and of course if it is not running you can do
> >
> >     systemctl start snapd.apparmor
> >
> >     or make sure it runs after reboot
> >
> >     systemctl enable snapd.apparmor
> >
> >
> > Thanks for the info 😃
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20221116/11417733/attachment-0001.html>