I have been using snap for some time but after a recent upgrade, I get this error when I try opening any application
Snap-confine has elevated permissions and is not confined but should be.
Refusing to continue to avoid permission escalation attacks
I have tried various fixes but it keeps getting worse. Any idea on what I should do?
I also tried sudo apt purge snapd snap-confine && sudo apt install -y snapd but when I try opening pycharm-community, it doesn't do anything.
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
Fixes it. No restart required.
This worked for me
service snapd.apparmor start
(It needs the root.)
AppArmor (app-armor) is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited.
# start the appormor system
sudo systemctl start apparmor
# parse and reload all apparmor profiles of installed snap applications
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
systemctl enable --now apparmor.service
systemctl enable --now snapd.apparmor.service
This is what worked for me on Kali Linux:
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
systemctl enable --now snapd.apparmor.service
In my case it was caused by a bad AppArmor profile being present and loaded in complain (or enforce?) mode in
/etc/apparmor.d/usr.bin.snap
This apparently lead to snap not being able to determine the number of the snap and therefor caused a bad profile to be added to AppArmor.
"aa-status" outputed lines such as:
/usr/bin/snap//null-/usr/lib/snapd/snap-confine
for being in enforce mode
I moved that file (/etc/apparmor.d/usr.bin.snap) to my home directory, ran "sudo aa-remove-unknown" and "sudo systemctl restart apparmor" after which everything was back to normal.
However I don't know the origins of /etc/apparmor.d/usr.bin.snap so keep in mind that there might be something wrong with the system.
I had the same problem when using snap to run scrcpy. I tried this suggestion first and it worked:
sudo snap refresh
(This suggestion found at https://github.com/canonical/microk8s/issues/249)
This command also worked in my case :-
$ sudo service snapd.apparmor start
$ whatsdesk
Thank you.
Indeed AppArmor was not running. Some other bug in AppArmor will disable the whole snap! This has to be fixed before AppArmor can start.
Nov 21 00:24:40 kfc-XPS-15-9560 apparmor.systemd[201673]: AppArmor parser error for /etc/apparmor.d/usr.bin.tcpdump in profile /etc/apparmor.d/usr.bin.tcpdump at line 64: Could not open 'local/usr.sbin.tcpdump'
For me after executing
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
i got an error of:
missing profile snap.docker.compose.
Please make sure that the snapd.apparmor service is enabled and started
It was fixed with
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.compose
following this askubuntu thread: https://askubuntu.com/questions/1248349/docker-compose-denied-by-apparmor-outside-of-home-how-to-fix
sudo systemctl enable snapd.service
sudo systemctl start snapd.service
service snapd.apparmor start
