Bug 1211989

Summary: Snap applications stopped to work after recent apparmor update
Product: [openSUSE] openSUSE Tumbleweed Reporter: Aleksey Kontsevich <akontsevich>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: criguada+opensuse, dev, ilgaz, jrjohansen117, liubomirwm, michel.filipe, oliver, paolo.pasquale, rokejulianlockhart+1674683091, strzol, suse-beta, tilman
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: snap.telegram-desktop.telegram-desktop Profile
snap.acestreamplayer.engine Profile
snap-update-ns.telegram-desktop profile
snap-update-ns.acestreamplayer profile
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap.chromium.hook.configure
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.spotify
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.brave
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.authy
kernel.log

Comment 1 Stratos Zolotas 2023-06-05 07:56:48 UTC 
Can confirm the same issue after latest dup (VERSION_ID="20230603")

stratos@teras:~> winbox
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_bdlKDD: Permission denied
stratos@teras:~> authy
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_nz6fZ2: Permission denied
Comment 2 Christian Boltz 2023-06-05 11:50:29 UTC 
AppArmor 3.1.4 fixed a bug in mount rules - before they allowed things that the profile didn't really allow, and now they allow exactly what is specified in the profile. See https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 and https://gitlab.com/apparmor/apparmor/-/commit/aff29ef0ee88e18db74a364e7dca1b4c0fa95e47 for details.

This also means that profiles that "somehow worked" before now cause denials because they don't have the mount rules they really need.

https://forum.snapcraft.io/t/apparmor-issue/35461 shows the following line from /var/log/audit/audit.log:

type=AVC msg=audit(1685879595.481:528): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_uAIbsj/" pid=13661 comm="snap-confine" fstype="tmpfs" srcname="none"

Can you please confirm that you get a similar line in your audit.log when snap fails?

If I got the log message right, adding the following rule to the snap-confine profile should fix the problem:

mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,


That all said, I'll hand over the bug to the (system:snappy/snapd) maintainer - AFAIK the snap profiles are shipped as part of the snapd package.
Comment 3 Aleksey Kontsevich 2023-06-05 12:02:49 UTC 
(In reply to Christian Boltz from comment #2)
> https://forum.snapcraft.io/t/apparmor-issue/35461 shows the following line
> from /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1685879595.481:528): apparmor="DENIED" operation="mount"
> class="mount" info="failed perms check" error=-13
> profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_uAIbsj/"
> pid=13661 comm="snap-confine" fstype="tmpfs" srcname="none"
> 
> Can you please confirm that you get a similar line in your audit.log when
> snap fails?

Yes, have the same:

> telegram-desktop
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_Z2gZo7: Permission denied

> And in the log:
type=AVC msg=audit(1685966246.468:373): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/libexec/snapd/snap-confine" name="/tmp/snap.rootfs_Z2gZo7/" pid=28351 comm="snap-confine" fstype="tmpfs" srcname="none"

> 
> If I got the log message right, adding the following rule to the
> snap-confine profile should fix the problem:
> 
> mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,

Where to add this?
Comment 4 Stratos Zolotas 2023-06-05 12:26:42 UTC 
(In reply to Christian Boltz from comment #2)
> Can you please confirm that you get a similar line in your audit.log when
> snap fails?

Can confirm the same message in audit.log:


type=AVC msg=audit(1685967805.185:497): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/libexec/snapd/snap-confine" name="/tmp/snap.rootfs_ou5oN6/" pid=13580 comm="snap-confine" fstype="tmpfs" srcname="none"
type=BPF msg=audit(1685967805.225:498): prog-id=66 op=UNLOAD
 
> If I got the log message right, adding the following rule to the
> snap-confine profile should fix the problem:
> 
> mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,
 
Yes it resolves the issue. I have added it in /etc/apparmor.d/usr.libexec.snapd.snap-confine

Thank you for the workaround.
Comment 5 Aleksey Kontsevich 2023-06-05 12:37:02 UTC 
(In reply to Stratos Zolotas from comment #4)
> (In reply to Christian Boltz from comment #2)

> > If I got the log message right, adding the following rule to the
> > snap-confine profile should fix the problem:
> > 
> > mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,
>  
> Yes it resolves the issue. I have added it in
> /etc/apparmor.d/usr.libexec.snapd.snap-confine

Helped me as well - thank You all!
Comment 6 Aleksey Kontsevich 2023-06-05 14:06:24 UTC 
This PR has been opened to fix the issue https://github.com/snapcore/snapd/pull/12845
Comment 7 Maciej Borzecki 2023-06-05 16:30:38 UTC 
I'll cherry pick this patch for the upcoming 2.59.5 update.
Comment 8 Maciej Borzecki 2023-06-05 17:00:20 UTC 
Fun, the package status did not propagate to boo. Anyway, snapd 2.59.5 was pushed to the repository with the cherry pick included. If it's fixed for folks then fell free to close the bug.
Comment 9 Stratos Zolotas 2023-06-05 17:59:19 UTC 
Can confirm the fix after latest update.
Comment 10 Stratos Zolotas 2023-06-14 07:34:54 UTC 
I am facing again the same issue with all snaps (possibly not exactly the same problem but similar).

cat /etc/os-release 
NAME="openSUSE Tumbleweed"
# VERSION="20230612"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20230612"

stratos@teras:~> winbox
update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.winbox /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): permission denied

stratos@teras:~> authy
update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.authy /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): permission denied
Comment 11 Aleksey Kontsevich 2023-06-14 10:48:07 UTC 
(In reply to Stratos Zolotas from comment #10)
> I am facing again the same issue with all snaps (possibly not exactly the
> same problem but similar).

Yes, I have exactly the same today!
Comment 12 Maciej Borzecki 2023-06-14 11:25:16 UTC 
(In reply to Aleksey Kontsevich from comment #11)
> (In reply to Stratos Zolotas from comment #10)
> > I am facing again the same issue with all snaps (possibly not exactly the
> > same problem but similar).
> 
> Yes, I have exactly the same today!

I don't think it's the same problem.

What I see is:

time->Wed Jun 14 13:18:59 2023
type=AVC msg=audit(1686741539.855:777): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.ohmygiraffe" name="/tmp/.snap/snap/ohmygiraffe/28/data-dir/themes/" pid=7298 comm="5" srcname="/snap/ohmygiraffe/28/data-dir/themes/" flags="rw, rbind"

while there is exactly a rule allowing this in /var/lib/snapd/apparmor/profiles/snap-update-ns.ohmygiraffe:

  mount options=(rbind, rw) "/snap/ohmygiraffe/28/data-dir/themes/" -> "/tmp/.snap/snap/ohmygiraffe/28/data-dir/themes/",

AFAICT the profile is loaded:

maciek@sloop:~ sudo aa-status|grep ohmygira                                                       
   snap-update-ns.ohmygiraffe
   snap.ohmygiraffe.hook.configure
   snap.ohmygiraffe.ohmygiraffe

Just to be extra sure I reloaded it again myself, and the effect is the same. I'm afraid someone with a deeper knowledge of apparmor is needed here.
Comment 13 Christian Boltz 2023-06-14 21:06:51 UTC 
Upstream AppArmor is aware of the new issue. If everything works out as planned, I'll get a patch and can offer a test package tomorrow.
Comment 14 Aleksey Kontsevich 2023-06-14 21:18:38 UTC 
Hmmm... I have this error only for telegram, acestream works fine!
Comment 15 Christian Boltz 2023-06-16 16:25:05 UTC 
Unfortunately the issue turned out to be more complicated - and, worse, hard to reproduce. Therefore I'll forward a request from
https://bugs.launchpad.net/bugs/2023814

    what is the kernel version, and can you attach the full profile.

Therefore: Please attach the full profile of a snap that causes the mount denial, ideally both 
- the profile file itsself, and
- the full profile with all includes inlined, which you can get with

    /sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/PROFILE_FILE > \
    /tmp/profile_with_includes

(replace PROFILE_FILE with the actual filename)

Please also include your kernel version ("uname -a" output).
Comment 16 Aleksey Kontsevich 2023-06-16 16:30:32 UTC 
> uname -a
Linux Aleksey 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux
Comment 17 Aleksey Kontsevich 2023-06-16 16:31:22 UTC 
Created attachment 867626 [details]
snap.telegram-desktop.telegram-desktop Profile

This one causes problems
Comment 18 Aleksey Kontsevich 2023-06-16 16:31:54 UTC 
Created attachment 867627 [details]
snap.acestreamplayer.engine Profile

this one works fine
Comment 19 John Johansen 2023-06-16 17:24:38 UTC 
(In reply to Aleksey Kontsevich from comment #17)
> Created attachment 867626 [details]
> snap.telegram-desktop.telegram-desktop Profile
> 
> This one causes problems

This profile does not contain any mount rules, and hence does not allow mount operations. The issue here is different than in #12, this one is snap not giving/generating the permission that is being denied.
Comment 20 John Johansen 2023-06-16 17:27:39 UTC 
(In reply to Aleksey Kontsevich from comment #17)
> Created attachment 867626 [details]
> snap.telegram-desktop.telegram-desktop Profile
> 
> This one causes problems

Can you provide the denial messages, this one is causing?
Comment 21 John Johansen 2023-06-16 17:29:34 UTC 
(In reply to Aleksey Kontsevich from comment #18)
> Created attachment 867627 [details]
> snap.acestreamplayer.engine Profile
> 
> this one works fine

Interestingly this one doesn't have any mount rules either. Which makes seeing the errors for the telegram profile in comment #17 even more important to try and figure out your issue.
Comment 22 Aleksey Kontsevich 2023-06-16 19:46:21 UTC 
(In reply to John Johansen from comment #19)
> (In reply to Aleksey Kontsevich from comment #17)
> > Created attachment 867626 [details]
> > snap.telegram-desktop.telegram-desktop Profile
> > 
> > This one causes problems
> 
> This profile does not contain any mount rules, and hence does not allow
> mount operations. The issue here is different than in #12, this one is snap
> not giving/generating the permission that is being denied.


> ls /var/lib/snapd/apparmor/profiles/ -1
snap.acestreamplayer.acestreamplayer
snap.acestreamplayer.engine
snap.acestreamplayer.mpv
snap-confine.snapd.19122
snap-confine.snapd.19361
snap.telegram-desktop.hook.configure
snap.telegram-desktop.telegram-desktop
snap-update-ns.acestreamplayer
snap-update-ns.telegram-desktop

Which one do You need?

(In reply to John Johansen from comment #20)
> (In reply to Aleksey Kontsevich from comment #17)
> > Created attachment 867626 [details]
> > snap.telegram-desktop.telegram-desktop Profile
> > 
> > This one causes problems
> 
> Can you provide the denial messages, this one is causing?

> telegram-desktop
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/tmp/.X11-unix /tmp/.X11-unix none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Adwaita /snap/telegram-desktop/4806/data-dir/icons/Adwaita none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Ambiant-MATE /snap/telegram-desktop/4806/data-dir/icons/Ambiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Breeze_Snow /snap/telegram-desktop/4806/data-dir/icons/Breeze_Snow none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-Black /snap/telegram-desktop/4806/data-dir/icons/DMZ-Black none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-White /snap/telegram-desktop/4806/data-dir/icons/DMZ-White none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/HighContrast /snap/telegram-desktop/4806/data-dir/icons/HighContrast none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Humanity-Dark /snap/telegram-desktop/4806/data-dir/icons/Humanity-Dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Humanity /snap/telegram-desktop/4806/data-dir/icons/Humanity none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Maia /snap/telegram-desktop/4806/data-dir/icons/Papirus-Adapta-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Nokto-Maia /snap/telegram-desktop/4806/data-dir/icons/Papirus-Adapta-Nokto-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Dark-Maia /snap/telegram-desktop/4806/data-dir/icons/Papirus-Dark-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Light-Maia /snap/telegram-desktop/4806/data-dir/icons/Papirus-Light-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Maia /snap/telegram-desktop/4806/data-dir/icons/Papirus-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Radiant-MATE /snap/telegram-desktop/4806/data-dir/icons/Radiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-MATE-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-light /snap/telegram-desktop/4806/data-dir/icons/Yaru-MATE-light none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-bark-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-bark-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-bark /snap/telegram-desktop/4806/data-dir/icons/Yaru-bark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-blue-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-blue-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-blue /snap/telegram-desktop/4806/data-dir/icons/Yaru-blue none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-magenta-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-magenta-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-magenta /snap/telegram-desktop/4806/data-dir/icons/Yaru-magenta none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-mate-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-mate-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-mate /snap/telegram-desktop/4806/data-dir/icons/Yaru-mate none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-olive-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-olive-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-olive /snap/telegram-desktop/4806/data-dir/icons/Yaru-olive none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-prussiangreen-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen /snap/telegram-desktop/4806/data-dir/icons/Yaru-prussiangreen none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-purple-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-purple-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-purple /snap/telegram-desktop/4806/data-dir/icons/Yaru-purple none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-red-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-red-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-red /snap/telegram-desktop/4806/data-dir/icons/Yaru-red none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-sage-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-sage-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-sage /snap/telegram-desktop/4806/data-dir/icons/Yaru-sage none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-viridian-dark /snap/telegram-desktop/4806/data-dir/icons/Yaru-viridian-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru-viridian /snap/telegram-desktop/4806/data-dir/icons/Yaru-viridian none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Yaru /snap/telegram-desktop/4806/data-dir/icons/Yaru none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/breeze_cursors /snap/telegram-desktop/4806/data-dir/icons/breeze_cursors none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/default /snap/telegram-desktop/4806/data-dir/icons/default none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/elementary-xfce-dark /snap/telegram-desktop/4806/data-dir/icons/elementary-xfce-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darker /snap/telegram-desktop/4806/data-dir/icons/elementary-xfce-darker none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darkest /snap/telegram-desktop/4806/data-dir/icons/elementary-xfce-darkest none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/elementary-xfce /snap/telegram-desktop/4806/data-dir/icons/elementary-xfce none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/elementary /snap/telegram-desktop/4806/data-dir/icons/elementary none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/handhelds /snap/telegram-desktop/4806/data-dir/icons/handhelds none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/hicolor /snap/telegram-desktop/4806/data-dir/icons/hicolor none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/redglass /snap/telegram-desktop/4806/data-dir/icons/redglass none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-dark /snap/telegram-desktop/4806/data-dir/icons/ubuntu-mono-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-light /snap/telegram-desktop/4806/data-dir/icons/ubuntu-mono-light none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/whiteglass /snap/telegram-desktop/4806/data-dir/icons/whiteglass none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/sounds/Yaru /snap/telegram-desktop/4806/data-dir/sounds/Yaru none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/sounds/freedesktop /snap/telegram-desktop/4806/data-dir/sounds/freedesktop none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Adwaita-dark /snap/telegram-desktop/4806/data-dir/themes/Adwaita-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Adwaita /snap/telegram-desktop/4806/data-dir/themes/Adwaita none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Ambiance /snap/telegram-desktop/4806/data-dir/themes/Ambiance none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE-Dark /snap/telegram-desktop/4806/data-dir/themes/Ambiant-MATE-Dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE /snap/telegram-desktop/4806/data-dir/themes/Ambiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Arc-Dark /snap/telegram-desktop/4806/data-dir/themes/Arc-Dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Arc-Darker /snap/telegram-desktop/4806/data-dir/themes/Arc-Darker none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Arc /snap/telegram-desktop/4806/data-dir/themes/Arc none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Breeze-Dark /snap/telegram-desktop/4806/data-dir/themes/Breeze-Dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Breeze /snap/telegram-desktop/4806/data-dir/themes/Breeze none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Greybird-dark /snap/telegram-desktop/4806/data-dir/themes/Greybird-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Greybird /snap/telegram-desktop/4806/data-dir/themes/Greybird none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/HighContrast /snap/telegram-desktop/4806/data-dir/themes/HighContrast none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-aliz /snap/telegram-desktop/4806/data-dir/themes/Matcha-aliz none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-azul /snap/telegram-desktop/4806/data-dir/themes/Matcha-azul none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-dark-aliz /snap/telegram-desktop/4806/data-dir/themes/Matcha-dark-aliz none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-dark-azul /snap/telegram-desktop/4806/data-dir/themes/Matcha-dark-azul none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-dark-sea /snap/telegram-desktop/4806/data-dir/themes/Matcha-dark-sea none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-sea /snap/telegram-desktop/4806/data-dir/themes/Matcha-sea none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-compact /snap/telegram-desktop/4806/data-dir/themes/Materia-compact none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark-compact /snap/telegram-desktop/4806/data-dir/themes/Materia-dark-compact none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark /snap/telegram-desktop/4806/data-dir/themes/Materia-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light-compact /snap/telegram-desktop/4806/data-dir/themes/Materia-light-compact none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light /snap/telegram-desktop/4806/data-dir/themes/Materia-light none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia /snap/telegram-desktop/4806/data-dir/themes/Materia none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiance /snap/telegram-desktop/4806/data-dir/themes/Radiance none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiant-MATE /snap/telegram-desktop/4806/data-dir/themes/Radiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-MATE-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-light /snap/telegram-desktop/4806/data-dir/themes/Yaru-MATE-light none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-bark-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-bark-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-bark /snap/telegram-desktop/4806/data-dir/themes/Yaru-bark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-blue-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-blue-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-blue /snap/telegram-desktop/4806/data-dir/themes/Yaru-blue none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-light /snap/telegram-desktop/4806/data-dir/themes/Yaru-light none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-magenta-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-magenta-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-magenta /snap/telegram-desktop/4806/data-dir/themes/Yaru-magenta none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-mate-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-mate-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-mate /snap/telegram-desktop/4806/data-dir/themes/Yaru-mate none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-olive-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-olive-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-olive /snap/telegram-desktop/4806/data-dir/themes/Yaru-olive none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-prussiangreen-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen /snap/telegram-desktop/4806/data-dir/themes/Yaru-prussiangreen none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-purple-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-purple-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-purple /snap/telegram-desktop/4806/data-dir/themes/Yaru-purple none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-red-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-red-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-red /snap/telegram-desktop/4806/data-dir/themes/Yaru-red none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-sage-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-sage-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-sage /snap/telegram-desktop/4806/data-dir/themes/Yaru-sage none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-viridian-dark /snap/telegram-desktop/4806/data-dir/themes/Yaru-viridian-dark none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-viridian /snap/telegram-desktop/4806/data-dir/themes/Yaru-viridian none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru /snap/telegram-desktop/4806/data-dir/themes/Yaru none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/elementary /snap/telegram-desktop/4806/data-dir/themes/elementary none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
cannot update snap namespace: cannot create writable mimic over "/usr/lib/x86_64-linux-gnu": permission denied
snap-update-ns failed with code 1
Comment 23 Aleksey Kontsevich 2023-06-16 19:47:05 UTC 
Created attachment 867630 [details]
snap-update-ns.telegram-desktop profile
Comment 24 Aleksey Kontsevich 2023-06-16 19:47:28 UTC 
Created attachment 867631 [details]
snap-update-ns.acestreamplayer profile
Comment 25 Michel Filipe 2023-06-16 23:29:08 UTC 
This issue is happening with Spotify and Brave as well.
Comment 26 dev 2023-06-17 00:25:50 UTC 
Created attachment 867632 [details]
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap.chromium.hook.configure

> uname -a
Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux


On above system with apparmor 3.1.5-1.2,  trying to install chromium as below fails.

> snap install chromium --channel=latest/candidate/hwacc
2023-06-16T19:12:57-04:00 INFO Waiting for automatic snapd restart...
error: cannot perform the following tasks:
- Run configure hook of "chromium" snap if present (run hook "configure": 
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
snap-update-ns failed with code 1
-----)

On a related system with the same uname -a output, but with apparmoer 3.1.4-2.1 chromium installs and works fine. The attachment  snap.chromium.hook.configure_profile_with_includes is from that system.
Comment 27 John Johansen 2023-06-17 04:29:50 UTC 
Thanks Aleksey, can you also include kernel log info. I don't need everything just grep for DENIED

you should see some messages that look similar to

[ 1095.589947] audit: type=1400 audit(1686889086.956:71): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="test" name="/tmp/.snap/etc/" pid=1472 comm="mount" srcname="/etc/" flags="rw, bind"
Comment 28 Michel Filipe 2023-06-17 04:48:00 UTC 
Created attachment 867633 [details]
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.spotify

> uname -a

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> spotify

type=AVC msg=audit(1686976996.738:744): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/themes/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/themes/" flags="rw, rbind"
type=AVC msg=audit(1686976996.730:676): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/icons/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/icons/" flags="rw, rbind"
type=AVC msg=audit(1686976996.734:690): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/sounds/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/sounds/" flags="rw, rbind"
Comment 29 Michel Filipe 2023-06-17 04:53:34 UTC 
Created attachment 867634 [details]
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.brave

> uname -a 

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> brave

type=AVC msg=audit(1686977332.616:755): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.brave" name="/usr/share/fonts/" pid=22926 comm="5" srcname="/var/lib/snapd/hostfs/usr/share/fonts/" flags="rw, bind"
type=AVC msg=audit(1686977332.616:756): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.brave" name="/tmp/.snap/snap/brave/236/" pid=22926 comm="5" srcname="/snap/brave/236/" flags="rw, rbind"
Comment 30 Michel Filipe 2023-06-17 05:04:41 UTC 
Created attachment 867635 [details]
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.authy

> uname -a

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> authy

type=AVC msg=audit(1686977968.403:869): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/themes/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/themes/" flags="rw, rbind" 
type=AVC msg=audit(1686977968.403:815): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/sounds/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/sounds/" flags="rw, rbind"
type=AVC msg=audit(1686977968.403:813): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/icons/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/icons/" flags="rw, rbind"
type=AVC msg=audit(1686977968.403:870): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/tmp/.X11-unix/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/tmp/.X11-unix/" flags="rw, bind" 
type=AVC msg=audit(1686977968.419:871): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/run/user/1000/doc/" pid=26711 comm="5" srcname="/run/user/1000/doc/by-app/snap.authy/" flags="rw, bind" 
type=AVC msg=audit(1686977968.399:761): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/snap/authy/19/gnome-pla
tform/" pid=26702 comm="5" srcname="/snap/gnome-3-28-1804/198/" flags="rw, bind"
type=AVC msg=audit(1686977968.399:762): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/usr/share/fonts/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/usr/share/fonts/" flags="rw, bind"
type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"
Comment 31 Aleksey Kontsevich 2023-06-17 08:16:58 UTC 
(In reply to John Johansen from comment #27)
> Thanks Aleksey, can you also include kernel log info. 

Command or path?

>I don't need everything just grep for DENIED
Comment 32 Christian Boltz 2023-06-17 12:02:10 UTC 
(In reply to Aleksey Kontsevich from comment #31)
> (In reply to John Johansen from comment #27)
> > Thanks Aleksey, can you also include kernel log info. 
> 
> Command or path?

grep DENIED /var/log/audit/audit.log
(if you don't have auditd running,   grep DENIED /var/log/messages   or the journalctl -b output)
Comment 33 Aleksey Kontsevich 2023-06-17 14:02:22 UTC 
Created attachment 867652 [details]
kernel.log
Comment 34 Aleksey Kontsevich 2023-06-17 14:03:06 UTC 
(In reply to Christian Boltz from comment #32)
> grep DENIED /var/log/audit/audit.log

This one attached.
Comment 35 Cristiano Guadagnino 2023-06-19 15:04:58 UTC 
Same problem here with Authy and scrcpy.
openSuse Tumbleweed.

cris@polaris:~> uname -a
Linux polarisuse 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

Cris
Comment 36 Christian Boltz 2023-06-19 20:37:15 UTC 
Packages with the proposed upstream patch just finished building in my home repo. To get them, you can either add the repo 
    http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
or you can download the package x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")

(Only the apparmor-parser package changed, there's no need to install other packages from my home repo.)

After installling the (hopefully) fixed apparmor-parser package from home:cboltz, please test if snap now works, and report back.
(If you still notice failures, please attach the profile and the audit.log.)
Comment 37 Aleksey Kontsevich 2023-06-19 21:21:09 UTC 
(In reply to Christian Boltz from comment #36)
> Packages with the proposed upstream patch just finished building in my home
> repo. To get them, you can either add the repo 
>     http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
> or you can download the package
> x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper
> in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")

Shorter variant:

sudo zypper in http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm

> After installling the (hopefully) fixed apparmor-parser package from
> home:cboltz, please test if snap now works, and report back.
> (If you still notice failures, please attach the profile and the audit.log.)

Not fixed, same errors for telegram.
Comment 38 Aleksey Kontsevich 2023-06-19 21:24:42 UTC 
(In reply to Aleksey Kontsevich from comment #37)
> (In reply to Christian Boltz from comment #36)

> > After installling the (hopefully) fixed apparmor-parser package from
> > home:cboltz, please test if snap now works, and report back.
> > (If you still notice failures, please attach the profile and the audit.log.)
> 
> Not fixed, same errors for telegram.

Sorry, telegram works now: 

> sudo systemctl restart apparmor.service

did not helped for some reason, so forced to restart PC.
Comment 39 Christian Boltz 2023-06-19 21:35:36 UTC 
(In reply to Aleksey Kontsevich from comment #38)
> > sudo systemctl restart apparmor.service
> 
> did not helped for some reason, so forced to restart PC.

Wild guess: The snap profiles live in /var/lib/snapd/apparmor/profiles/, right?

"systemctl restart apparmor" will only reload the profiles in /etc/apparmor.d/, so you'll need to somehow force snap to reload the profile. Of course, rebooting is a way to do this, but maybe
    apparmor_parser -r /var/lib/snapd/apparmor/profiles/
is less annoying ;-)
(I don't use snap, therefore i don't know if there is a more "official" method to force a reload of its AppArmor profiles.)
Comment 40 Cristiano Guadagnino 2023-06-19 22:43:11 UTC 
Thank you @ChristianBoltz, with your fixed package my snaps are working now.
As Aleksey told, `systemctl restart apparmor.service` did not help.
I also tried the command you suggested (apparmor_parser -r /var/lib/snapd/apparmor/profiles/), but it didn't work either.
After a reboot everything is working smoothly.
Comment 41 Michel Filipe 2023-06-20 02:23:56 UTC 
> After installling the (hopefully) fixed apparmor-parser package from home:cboltz, please test if snap now works, and report back.

Brave, Spotify, Authy, VSCode, Opera and Slack are working with your package. Thanks for your effort to find a solution!
Comment 42 dev 2023-06-20 21:19:36 UTC 
(In reply to Christian Boltz from comment #36)
> Packages with the proposed upstream patch just finished building in my home
> repo. To get them, you can either add the repo 
>     http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
> or you can download the package
> x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper
> in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")
> 
> (Only the apparmor-parser package changed, there's no need to install other
> packages from my home repo.)
> 
> After installling the (hopefully) fixed apparmor-parser package from
> home:cboltz, please test if snap now works, and report back.
> (If you still notice failures, please attach the profile and the audit.log.)

confirming that the apparmor-parser package from home:cboltz makes chromium from snap work again.
Comment 43 John Johansen 2023-06-21 00:40:49 UTC 
(In reply to Cristiano Guadagnino from comment #40)
> Thank you @ChristianBoltz, with your fixed package my snaps are working now.
> As Aleksey told, `systemctl restart apparmor.service` did not help.
> I also tried the command you suggested (apparmor_parser -r
> /var/lib/snapd/apparmor/profiles/), but it didn't work either.
> After a reboot everything is working smoothly.

sorry, you would have needed to use 

  apparmor_parser -rT /var/lib/snapd/apparmor/profiles/

the -T will cause apparmor to skip reading from the cache, forcing it to recompile the profiles. Since the neither the profile files nor the includes files were changed, apparmor will think the already compiled policy in the cache is still valid and load that.
Comment 44 John Johansen 2023-06-21 00:49:22 UTC 
(In reply to Christian Boltz from comment #39)
> (In reply to Aleksey Kontsevich from comment #38)
> > > sudo systemctl restart apparmor.service
> > 
> > did not helped for some reason, so forced to restart PC.
> 
> Wild guess: The snap profiles live in /var/lib/snapd/apparmor/profiles/,
> right?
> 
> "systemctl restart apparmor" will only reload the profiles in
> /etc/apparmor.d/, so you'll need to somehow force snap to reload the
> profile. Of course, rebooting is a way to do this, but maybe
>     apparmor_parser -r /var/lib/snapd/apparmor/profiles/
> is less annoying ;-)
> (I don't use snap, therefore i don't know if there is a more "official"
> method to force a reload of its AppArmor profiles.)

there isn't because an official way, ideally users shouldn't be tweaking/changing the snap generated profiles. You can try restarting the snapd.apparmor.service but afaik that will still run into the cached profiles (ie. not rebuilding the cache, and just using that instead) problem.

That could be worked around by manually deleting the profile cache, and then restarting the service.

With the newest versions of snapd vendoring apparmor, it might even be required to use the snapd.apparmor service because snap profiles might have policy rules that the system parser doesn't understand.
Comment 45 John Johansen 2023-06-21 02:35:30 UTC 
Thanks for all the verifications. Upstream apparmor will roll a 3.1.6 release with the fix, so cboltz can get it released asap.
Comment 46 John Johansen 2023-06-22 05:45:11 UTC 
AppArmor 3.1.6 has been released upstream. Thanks everyone for the reports and testing

https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6
Comment 47 OBSbugzilla Bot 2023-06-22 12:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1211989) was mentioned in
https://build.opensuse.org/request/show/1094655 Factory / apparmor
Comment 48 Christian Boltz 2023-06-23 20:33:56 UTC 
The SR with AppArmor 3.1.6 was accepted and will be part of one of the next Tumbleweed snapshots.

For those who tested the apparmor-parser package from my home repo, please don't forget to switch back to the Tumbleweed package (as soon as 3.1.6 is available there).
Comment 49 Aleksey Kontsevich 2023-06-26 12:00:07 UTC 
(In reply to John Johansen from comment #46)
> AppArmor 3.1.6 has been released upstream. Thanks everyone for the reports
> and testing

Works fine! Thanks to all!!!