I have been using snap for some time but after a recent upgrade, I get this error when I try opening any application
Snap-confine has elevated permissions and is not confined but should be.
Refusing to continue to avoid permission escalation attacks
I have tried various fixes but it keeps getting worse. Any idea on what I should do?
I also tried sudo apt purge snapd snap-confine && sudo apt install -y snapd but when I try opening pycharm-community, it doesn't do anything.
systemctl enable --now apparmor.service
systemctl enable --now snapd.apparmor.service
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
Fixes it. No restart required.
apparmor_parser -r /etc/apparmor.d/*snap-confine* apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine* now with this asnwer it's still broken. keep on search –
Fotina This worked for me
service snapd.apparmor start
(It needs the root.)
sudo systemctl start snapd.apparmor should mark this service to auto-start –
Dmz systemctl status snapd apparmor look at the statuses of both. If snapd is active (running) AND apparmor is active (exited) then this is the fix for that issue. –
Backdate AppArmor (app-armor) is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited.
# start the appormor system
sudo systemctl start apparmor
# parse and reload all apparmor profiles of installed snap applications
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
systemctl enable --now apparmor.service
systemctl enable --now snapd.apparmor.service
This is what worked for me on Kali Linux:
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
systemctl enable --now snapd.apparmor.service
This command helped me fix docker-compose:
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
You can check if docker-compose works by using command:
docker-compose version
In my case it was caused by a bad AppArmor profile being present and loaded in complain (or enforce?) mode in
/etc/apparmor.d/usr.bin.snap
This apparently lead to snap not being able to determine the number of the snap and therefor caused a bad profile to be added to AppArmor.
"aa-status" outputed lines such as:
/usr/bin/snap//null-/usr/lib/snapd/snap-confine
for being in enforce mode
I moved that file (/etc/apparmor.d/usr.bin.snap) to my home directory, ran "sudo aa-remove-unknown" and "sudo systemctl restart apparmor" after which everything was back to normal.
However I don't know the origins of /etc/apparmor.d/usr.bin.snap so keep in mind that there might be something wrong with the system.
I had the same problem when using snap to run scrcpy. I tried this suggestion first and it worked:
sudo snap refresh
(This suggestion found at https://github.com/canonical/microk8s/issues/249)
This command also worked in my case :-
$ sudo service snapd.apparmor start
$ whatsdesk
Thank you.
Indeed AppArmor was not running. Some other bug in AppArmor will disable the whole snap! This has to be fixed before AppArmor can start.
Nov 21 00:24:40 kfc-XPS-15-9560 apparmor.systemd[201673]: AppArmor parser error for /etc/apparmor.d/usr.bin.tcpdump in profile /etc/apparmor.d/usr.bin.tcpdump at line 64: Could not open 'local/usr.sbin.tcpdump'
For me after executing
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
i got an error of:
missing profile snap.docker.compose.
Please make sure that the snapd.apparmor service is enabled and started
It was fixed with
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.compose
following this askubuntu thread: https://askubuntu.com/questions/1248349/docker-compose-denied-by-apparmor-outside-of-home-how-to-fix
sudo systemctl enable snapd.service
sudo systemctl start snapd.service
service snapd.apparmor start
this worked for me. It also makes it so that it automatically starts at launch.
$ cd /snap/bin
$ sudo service start snapd
$ sudo systemctl enable snapd.service
$ sudo systemctl enable --now snapd.service
just copy it and it should work(at least it did for me) and if you want to disable it just type
$ sudo systemctl disable snapd.service
Just adding another solution in case you've messed up with apparmor profiles and a service restart is not enough for you.
This would probably apply to you if you used aa-genprof to create a new profile of an app under the management of snapd, in my case it was VSCode.
Snap core package was broken so new snaps installation were also failing.
If you can't remove Firefox snap due to
Unlinkat /var/snap/firefox/common/host-hunspell/ try unmounting it umount /var/snap/firefox/common/host-hunspell, before snap remove --purge firefox
mkdir -p ~/profile-backups ~/profile-backups/var ~/profile-backups/local
# Stop services before moving around profiles
sudo systemctl stop snapd.apparmor
sudo systemctl stop apparmor
find /etc/apparmor.d -type f -name "*snapd*"
# -> check what you find and the edit time, new stuff is suspicious stuff
ls -lt /etc/apparmor.d
sudo mv /etc/apparmor.d/*snap-confine* ~/profile-backups
sudo mv /etc/apparmor.d/local/*snap-confine* ~/profile-backups/local
sudo mv /var/lib/snapd/apparmor/profiles/*confine* ~/profile-backups/var
sudo apt purge snapd
sudo aa-remove-unknown
# -> restart
sudo apt install -y --install-recommends snapd
Install as classic or from apt only the trusted few packages that have issues with apparmor like starship or vscode
sudo snap install --classic what_you_like_to_not_be_restricted --channel latest/stable
Then install Firefox, VScode... from apt or official deb or as classic snaps.
© 2022 - 2024 — McMap. All rights reserved.
sudo apt purge snapd snap-confineThat will uninstall a lot of applications and that's not what you normally want. – Rank