View previous topic :: View next topic |
Author |
Message |
BruceG n00b
Joined: 21 Jul 2003 Posts: 27 Location: Saskatoon, SK, Canada
|
Posted: Thu Jul 15, 2021 7:10 pm Post subject: Trying to get app-emulation/snapd to work for non-root |
|
|
I have installed app-emulation/snapd-2.51 under systemd (along with apparmor and the necessary kernel bits) and I am having difficulty getting it to work for non-root users. I installed the hello-world snap, and it runs properly as root, but when running as non-root I get the following error:
Code: | > snap run hello-world
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks |
It appears this might be due to some missing apparmor configuration, but it is installed and loaded. Any suggestions for how to get this working? All the search results I am seeing regarding this issue pretty specific to Ubuntu, which doesn't help much here. |
|
Back to top |
|
|
BruceG n00b
Joined: 21 Jul 2003 Posts: 27 Location: Saskatoon, SK, Canada
|
Posted: Thu Jul 15, 2021 7:18 pm Post subject: |
|
|
Running with debugging yields the following:
Code: | > snap debug sandbox-features
apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
confinement-options: devmode
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
> snap debug confinement
partial
> env SNAPD_DEBUG=1 SNAP_CONFINE_DEBUG=1 snap run hello-world
2021/07/15 13:16:13.731493 tool_linux.go:68: DEBUG: re-exec not supported on distro "gentoo" yet
2021/07/15 13:16:13.737446 cmd_run.go:410: DEBUG: SELinux not enabled
2021/07/15 13:16:13.737527 tracking.go:44: DEBUG: creating transient scope snap.hello-world.hello-world
2021/07/15 13:16:13.738059 tracking.go:173: DEBUG: using session bus
2021/07/15 13:16:13.739605 tracking.go:305: DEBUG: created transient scope as object: /org/freedesktop/systemd1/job/234
2021/07/15 13:16:13.739677 tracking.go:135: DEBUG: systemd could not associate process 7450 with transient scope snap.hello-world.hello-world.2d449903-7503-48d3-946a-dd19ed8e7e98.scope
2021/07/15 13:16:13.739689 cmd_run.go:1170: DEBUG: snapd cannot track the started application
2021/07/15 13:16:13.739697 cmd_run.go:1171: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core
DEBUG: ruid: 500, euid: 0, suid: 0
DEBUG: rgid: 500, egid: 500, sgid: 500
DEBUG: apparmor label on snap-confine is: unconfined
DEBUG: apparmor mode is: (null)
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
|
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Thu Jul 15, 2021 7:27 pm Post subject: |
|
|
Does
Code: |
USE="-forced-devmode" emerge -1av snapd
|
help? _________________
|
|
Back to top |
|
|
BruceG n00b
Joined: 21 Jul 2003 Posts: 27 Location: Saskatoon, SK, Canada
|
Posted: Thu Jul 15, 2021 7:52 pm Post subject: |
|
|
Unfortunately, no, same errors. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Thu Jul 15, 2021 8:11 pm Post subject: |
|
|
Plz try
Code: |
systemctl enable apparmor
systemctl start apparmor
|
and rerun snapd as normal user. _________________
|
|
Back to top |
|
|
BruceG n00b
Joined: 21 Jul 2003 Posts: 27 Location: Saskatoon, SK, Canada
|
Posted: Thu Jul 15, 2021 9:23 pm Post subject: |
|
|
It was already enabled and started:
Code: | # systemctl status apparmor
● apparmor.service - AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2021-07-15 13:49:35 CST; 1h 29min ago
Process: 1949 ExecStart=/usr/share/apparmor/apparmor_load.sh (code=exited, status=0/SUCCESS)
Main PID: 1949 (code=exited, status=0/SUCCESS)
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Changed dead -> start
Jul 15 13:49:35 lorien systemd[1]: Starting AppArmor profiles...
Jul 15 13:49:35 lorien systemd[1949]: apparmor.service: Executing: /usr/share/apparmor/apparmor_load.sh
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Failed to read oom_kill field of memory.events cgroup attribute: No such file or directory
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Child 1949 belongs to apparmor.service.
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Main process exited, code=exited, status=0/SUCCESS
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Changed start -> exited
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Job 148 apparmor.service/start finished, result=done
Jul 15 13:49:35 lorien systemd[1]: Finished AppArmor profiles.
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Control group is empty.
|
I see it has reported an error, but it claims to have exited with success. |
|
Back to top |
|
|
ran-dall n00b
Joined: 30 Jul 2021 Posts: 1
|
Posted: Fri Jul 30, 2021 11:55 pm Post subject: Re: Trying to get app-emulation/snapd to work for non-root |
|
|
(disclaimer: I've never installed snapd on Gentoo, but I've thinking about it. Hence why I came across your post)
Just a thought.
Could it possibly that you may have forgotten one of the necessary Kernel modifications for AppArmor? If you did, then maybe something wrong when you did the modifications to the Kernel? |
|
Back to top |
|
|
BruceG n00b
Joined: 21 Jul 2003 Posts: 27 Location: Saskatoon, SK, Canada
|
Posted: Thu Aug 05, 2021 12:19 am Post subject: |
|
|
Are there kernel patches necessary to enable AppArmor? I enabled the necessary kernel config settings and apparmor does run and load the profiles.
In any case, this is soon to be a moot point, as I am transitioning to a different computer running Arch (though I will continue to have other Gentoo systems). |
|
Back to top |
|
|
|