Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Trying to get app-emulation/snapd to work for non-root
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
BruceG
n00b
n00b


Joined: 21 Jul 2003
Posts: 27
Location: Saskatoon, SK, Canada
PostPosted: Thu Jul 15, 2021 7:10 pm    Post subject: Trying to get app-emulation/snapd to work for non-root Reply with quote
I have installed app-emulation/snapd-2.51 under systemd (along with apparmor and the necessary kernel bits) and I am having difficulty getting it to work for non-root users. I installed the hello-world snap, and it runs properly as root, but when running as non-root I get the following error:
Code:
> snap run hello-world
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks


It appears this might be due to some missing apparmor configuration, but it is installed and loaded. Any suggestions for how to get this working? All the search results I am seeing regarding this issue pretty specific to Ubuntu, which doesn't help much here.
Back to top
View user's profile Send private message
BruceG
n00b
n00b


Joined: 21 Jul 2003
Posts: 27
Location: Saskatoon, SK, Canada
PostPosted: Thu Jul 15, 2021 7:18 pm    Post subject: Reply with quote
Running with debugging yields the following:
Code:
> snap debug sandbox-features
apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
confinement-options:  devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

> snap debug confinement
partial

> env SNAPD_DEBUG=1 SNAP_CONFINE_DEBUG=1 snap run hello-world
2021/07/15 13:16:13.731493 tool_linux.go:68: DEBUG: re-exec not supported on distro "gentoo" yet
2021/07/15 13:16:13.737446 cmd_run.go:410: DEBUG: SELinux not enabled
2021/07/15 13:16:13.737527 tracking.go:44: DEBUG: creating transient scope snap.hello-world.hello-world
2021/07/15 13:16:13.738059 tracking.go:173: DEBUG: using session bus
2021/07/15 13:16:13.739605 tracking.go:305: DEBUG: created transient scope as object: /org/freedesktop/systemd1/job/234
2021/07/15 13:16:13.739677 tracking.go:135: DEBUG: systemd could not associate process 7450 with transient scope snap.hello-world.hello-world.2d449903-7503-48d3-946a-dd19ed8e7e98.scope
2021/07/15 13:16:13.739689 cmd_run.go:1170: DEBUG: snapd cannot track the started application
2021/07/15 13:16:13.739697 cmd_run.go:1171: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 500, euid: 0, suid: 0
DEBUG: rgid: 500, egid: 500, sgid: 500
DEBUG: apparmor label on snap-confine is: unconfined
DEBUG: apparmor mode is: (null)
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3879
PostPosted: Thu Jul 15, 2021 7:27 pm    Post subject: Reply with quote
Does
Code:

USE="-forced-devmode" emerge -1av snapd

help?
_________________
:)
Back to top
View user's profile Send private message
BruceG
n00b
n00b


Joined: 21 Jul 2003
Posts: 27
Location: Saskatoon, SK, Canada
PostPosted: Thu Jul 15, 2021 7:52 pm    Post subject: Reply with quote
Unfortunately, no, same errors.
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3879
PostPosted: Thu Jul 15, 2021 8:11 pm    Post subject: Reply with quote
Plz try
Code:

systemctl enable apparmor
systemctl start apparmor


and rerun snapd as normal user.
_________________
:)
Back to top
View user's profile Send private message
BruceG
n00b
n00b


Joined: 21 Jul 2003
Posts: 27
Location: Saskatoon, SK, Canada
PostPosted: Thu Jul 15, 2021 9:23 pm    Post subject: Reply with quote
It was already enabled and started:
Code:
# systemctl status apparmor
● apparmor.service - AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: active (exited) since Thu 2021-07-15 13:49:35 CST; 1h 29min ago
    Process: 1949 ExecStart=/usr/share/apparmor/apparmor_load.sh (code=exited, status=0/SUCCESS)
   Main PID: 1949 (code=exited, status=0/SUCCESS)

Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Changed dead -> start
Jul 15 13:49:35 lorien systemd[1]: Starting AppArmor profiles...
Jul 15 13:49:35 lorien systemd[1949]: apparmor.service: Executing: /usr/share/apparmor/apparmor_load.sh
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Failed to read oom_kill field of memory.events cgroup attribute: No such file or directory
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Child 1949 belongs to apparmor.service.
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Main process exited, code=exited, status=0/SUCCESS
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Changed start -> exited
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Job 148 apparmor.service/start finished, result=done
Jul 15 13:49:35 lorien systemd[1]: Finished AppArmor profiles.
Jul 15 13:49:35 lorien systemd[1]: apparmor.service: Control group is empty.


I see it has reported an error, but it claims to have exited with success.
Back to top
View user's profile Send private message
ran-dall
n00b
n00b


Joined: 30 Jul 2021
Posts: 1
PostPosted: Fri Jul 30, 2021 11:55 pm    Post subject: Re: Trying to get app-emulation/snapd to work for non-root Reply with quote
(disclaimer: I've never installed snapd on Gentoo, but I've thinking about it. Hence why I came across your post)

Just a thought.

Could it possibly that you may have forgotten one of the necessary Kernel modifications for AppArmor? If you did, then maybe something wrong when you did the modifications to the Kernel?
Back to top
View user's profile Send private message
BruceG
n00b
n00b


Joined: 21 Jul 2003
Posts: 27
Location: Saskatoon, SK, Canada
PostPosted: Thu Aug 05, 2021 12:19 am    Post subject: Reply with quote
Are there kernel patches necessary to enable AppArmor? I enabled the necessary kernel config settings and apparmor does run and load the profiles.

In any case, this is soon to be a moot point, as I am transitioning to a different computer running Arch (though I will continue to have other Gentoo systems).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy