1

I'm running snap applications on a non-Ubuntu system:

$ snap version                                                                                                                                   
snap    2.30-5+b1
snapd   2.30-5+b1
series  16
pureos  
kernel  4.18.0-1-amd64

When I snap run some applications work, but others return this error:

cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

Following suggestions at snapcraft.io, I have tried:

  • Switching to the beta core. Same error.

  • Modifying the AppArmor profile as follows:

    1. Running snap list to identify exactly which revision of core I'm using (core 16-2.35.2 r 5548)

    2. Modifying the appropriate file (/etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine) by adding ptrace read peer=unconfined, to the end as described.

    3. Updating AppArmor with sudo apparmor_parser -r /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine

But this makes no difference. The failing applications continue to fail. What else can I do?

Notes

Confirmed step 2 with:

$ tail /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine                                                                                 
    # from the core snap but we are already inside the constructed mount
    # namespace. Here the apparmor kernel module re-constructs the path to
    # snap-update-ns using the "hostfs" mount entry rather than the more
    # "natural" /snap mount entry but we have no control over that.  This is
    # reported as (LP: #1716339). The variants here represent different
    # locations of snap mount directory across distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,

    ptrace read peer=unconfined,
}
lofidevops
  • 2,967
  • 6
  • 39
  • 58

1 Answers1

1

Making the following additional changes resolved the issue. These steps didn't work for another user on the snapcraft thread, but they did work for me. I'm not sure if any of the previous changes are in fact unnecessary.

  1. Modify /etc/apparmor.d/usr.lib.snapd.snap-confine.real by adding ptrace read peer=unconfined, at the end, as follows:

    $ tail /etc/apparmor.d/usr.lib.snapd.snap-confine.real                                                                                       
        # But we don't want anyone to touch /snap/bin
        audit deny mount /snap/bin/** -> /**,
        audit deny mount /** -> /snap/bin/**,

        # Allow the content interface to bind fonts from the host filesystem
        mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
    }

    ptrace read peer=unconfined,
}

  2. sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

lofidevops
  • 2,967
  • 6
  • 39
  • 58