Ubuntu
snapd package

skype snap does not work when home directory is not located in /home

Bug #1758449 reported by Georges
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi

similar to this bug around libreoffice (https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1751005), apparmor makes the skype snap not work without any information except this:

cannot create user data directory: /data/home/georges/snap/skype/23: Permission denied

despite the directory being writeable.

It would really be advisable to make apparmor specific errors, else end-users will never determine where the error comes from.

The error is here:
Mar 23 22:35:08 breeze kernel: [6580445.024083] audit: type=1400 audit(1521840908.018:6807): apparmor="DENIED" operation="open" profile="/snap/core/4206/usr/lib/snapd/snap-confine" name="/data/" pid=7213 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

I tried to remove the problem like this:
sudo apparmor_parser -R /etc/apparmor.d/snap.core.4206.usr.lib.snapd.snap-confine

Which gives a new issue
$ skype
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: apparmor 2.11.0-2ubuntu17
ProcVersionSignature: Ubuntu 4.10.0-42.46-generic 4.10.17
Uname: Linux 4.10.0-42-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
CurrentDesktop: XFCE
Date: Fri Mar 23 22:38:16 2018
InstallationDate: Installed on 2017-09-20 (184 days ago)
InstallationMedia: Xubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.10.0-42-generic.efi.signed root=/dev/mapper/xubuntu--vg-root ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to artful on 2018-01-31 (50 days ago)

Revision history for this message
Georges (georgeskesseler) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

Just as a quick info - to get things working with non-default home directory locations, edit /etc/apparmor.d/tunables/home (or add a file to /etc/apparmor.d/tunables/home.d/) and add your custom path ("/data/home/") to the @{HOMEDIRS} variable.

I'm not sure why read access to /data/ was requested (do you have something besides the home directory in /data/ that could be needed by snap or skype?) and if it is really needed, therefore I'd recommend to re-check if this denial still happens after adjusting @{HOMEDIRS}.

Revision history for this message
Georges (georgeskesseler) wrote :

I did the HOMEDIRS thing, still not working

$ cat /etc/apparmor.d/tunables/home.d/my-homes
# set to parent directory of your user's directories. Eg, if user's dir is /foo/bar/USER,
# set this to /foo/bar/
@{HOMEDIRS}+=/data/home/

$ sudo service apparmor reload
$ skype
2018/03/24 14:01:56.276095 cmd_run.go:343: WARNING: XAUTHORITY environment value is not a clean path: "/data/home/georges/.Xauthority"
cannot create user data directory: /data/home/georges/snap/skype/23: Permission denied

$ sudo tail -2 /var/log/syslog
Mar 24 14:00:13 breeze anacron[30046]: Normal exit (0 jobs run)
Mar 24 14:01:56 breeze kernel: [6636053.148494] audit: type=1400 audit(1521896516.286:6903): apparmor="DENIED" operation="open" profile="/snap/core/4206/usr/lib/snapd/snap-confine" name="/data/" pid=30123 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

I would like to add /data/home to /etc/apparmor.d/snap.core.4206.usr.lib.snapd.snap-confine but it's uncomprehensible to me.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is a known issue. Please see:
 * https://forum.snapcraft.io/t/how-can-i-use-snap-when-i-dont-use-home-user/3352
 * https://bugs.launchpad.net/snapcraft/+bug/1620771

affects: apparmor (Ubuntu) → snapd (Ubuntu)
Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Philippe Coval (rzr) wrote :

Relate-to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.