canonical / microk8s

MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge.
https://microk8s.io
Apache License 2.0
8.57k stars 772 forks source link

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks #249

Closed a1exus closed 1 year ago

a1exus commented 5 years ago

Hello,

Trying to quick-start microk8s, yet running into following error:

toor@suey:~$ sudo snap install microk8s --classic
[sudo] password for toor: 
microk8s v1.13.0 from Canonical✓ installed
toor@suey:~$ sudo microk8s.start
sudo: microk8s.start: command not found
toor@suey:~$ microk8s.kubectl get all --all-namespaces
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ sudo snap refresh --channel=latest/beta microk8s
microk8s (beta) v1.13.1 from Canonical✓ refreshed
Channel latest/beta for microk8s is closed; temporarily forwarding to beta.
toor@suey:~$ microk8s.kubectl get all --all-namespaces
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ microk8s.inspect
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ sudo microk8s.kubectl get all --all-namespaces
sudo: microk8s.kubectl: command not found
toor@suey:~$ 

Please advise.

ktsakalozos commented 5 years ago

Hi @a1exus ,

This error seems to be related to snapd. What distribution are you using? Looking at this https://forum.snapcraft.io/t/snap-confine-has-elevated-permissions-error/2391/3 , Is it possible you are not running the default kernel?

Thanks

a1exus commented 5 years ago

@ktsakalozos thank you for your response, I'm running default kernel that came with Kali distro:

toor@suey:~$ cat /etc/lsb-release 
DISTRIB_ID=Kali
DISTRIB_RELEASE=kali-rolling
DISTRIB_CODENAME=kali-rolling
DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling"
toor@suey:~$ 
toor@suey:~$ uname -a
Linux suey.nknwn.local 4.18.0-kali3-amd64 #1 SMP Debian 4.18.20-2kali2 (2018-11-30) x86_64 GNU/Linux
toor@suey:~$ 
ktsakalozos commented 5 years ago

Hi,

This has to be reported to the snapcraft team possibly at https://forum.snapcraft.io/t/snap-confine-has-elevated-permissions-error/2391 or on a new topic. This is out of my hands. I am sorry.

On Thu, Apr 25, 2019 at 4:09 PM xOrMalware notifications@github.com wrote:

I am experiencing the same problem. But I would like to give a little bit more information. I am using trying to use Bitwarden.

If I install snapd. reboot, start snap service, reboot, install bit warden. I can get bitwarden to run. However, if I reboot, then try to run bitwarden, I get the error snap-confine has elevated permissions.

So I am not convinced this is as simple as a kernel issue, as I am surprised, I was able to get the app to run at all.

but uname -a

Linux Kernel 4.19.0-kali4-amd64 …..

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ubuntu/microk8s/issues/249#issuecomment-486665522, or mute the thread https://github.com/notifications/unsubscribe-auth/ACXVBLEXUPXNC6TOUNJIGU3PSGUQXANCNFSM4GKUBYBA .

rajnish93 commented 5 years ago
  1. Check if snap core is not broken $ snap list
  2. Update the following package A. apparmor $ sudo apt-get install apparmor

Now everything will work

RealJTG commented 5 years ago

The same error occurs if apparmor service stopped or disabled.

ktsakalozos commented 5 years ago

Please report this issue to https://forum.snapcraft.io. Thank you.

dramirez-qb commented 5 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
AzimAhmadzadeh commented 5 years ago

According to the conversation in [Ubuntu Forum], this particular answer, fixed my problem.

So, just install apparmor if don't have it already, and then enable it by: systemctl enable --now apparmor.service

Note: For some reasons, it asks for password multiple times. In my case, 5 times!! Don't give up! :)

SukiCZ commented 5 years ago
sudo systemctl enable --now apparmor.service

fixed the issue for me. Asked for password once :tongue:

Maidomax commented 5 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

This works for me, but I have to do it after every reboot

ahmedmahershaaban commented 4 years ago

According to the conversation in [Ubuntu Forum], this particular answer, fixed my problem.

So, just install apparmor if don't have it already, and then enable it by: systemctl enable --now apparmor.service

Note: For some reasons, it asks for password multiple times. In my case, 5 times!! Don't give up! :)

fixed my problem thanks ^_^

HassanAmed commented 4 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

@dxas90 after running this I got cannot change profile for the next exec call: No such file or directory trying to up docker containers.

krupalraj commented 4 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

this worked for me ..thanks !!

FoxieFlakey commented 4 years ago

The same error occurs if apparmor service stopped or disabled.

true it fixed my anbox snap installation

tarzq306 commented 3 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

This is work great for me. Thanks

FoxieFlakey commented 3 years ago

i do sudo systemctl start apparmor try that before you do the sudo apparmor_parser commands

blessedjasonmwanza commented 3 years ago

This worked for my Kali Linux destro (Debian). It might work for you as well. Remember default snap that comes with the OS has this issue in most destros

First, try uninstalling snap and snapd and then, resinstalling them back This should fix it;

sudo apt remove snap && sudo apt remove snapd
# or
sudo apt remove snap
# and when its done, run
sudo apt remove snapd
FoxieFlakey commented 3 years ago

This worked for my Kali Linux destro (Debian). It might work for you as well. Remember default snap that comes with the OS has this issue in most destros

First, try uninstalling snap and snapd and then, resinstalling them back This should fix it;

sudo apt remove snap && sudo apt remove snapd
# or
sudo apt remove snap
# and when its done, run
sudo apt remove snapd
# Much simpler this way
# Apt have reinstall command
sudo apt reinstall snap snapd
c4tom commented 3 years ago
sudo apt reinstall snap snapd

I've already done this, but when I restart linux, the problem comes back.

LSB Version:    core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
Distributor ID: Linuxmint
Description:    Linux Mint 20.2
Release:    20.2
Codename:   uma
gcngov commented 3 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

It work on kali linux. Thank you @a1exus

FoxieFlakey commented 3 years ago
sudo apt reinstall snap snapd

I've already done this, but when I restart linux, the problem comes back.

LSB Version:  core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
Distributor ID:   Linuxmint
Description:  Linux Mint 20.2
Release:  20.2
Codename: uma

do other solution works?

Onlyartist9 commented 3 years ago

Solved it with sudo snap refresh

revdeluxe commented 3 years ago

i have the same issue. basically all snap apps doesn't work

  1. check if snapd is running service snapd force-reload or systemctl restart snapd apparmor is fine. no changes and also tried the profile changing, and this happened WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1
  2. i try to install some apps on snap. and it works fine
  3. apt remove snapd|apt install snapd is not my option i have limited screentime online every bytes is gold
  4. i've been hovering around on some forums. and most of them were Kali, Fedora, Linux Mint basically distributions that doesn't have snapcraft pre-installed like pop_os, manjaro, ubuntu
  5. i've mentioned that i installed another package from snap, and it was 'bombsquad'... it works fine but has some casual hiccups like audio errors...
bernhardkaindl commented 3 years ago

After finding this above

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

I uninstalled apparmor (and thus also snapd) completely and reinstalled snapd again, which fixed it on Ubuntu 21.10 (to which I updated before to using update-manager(from an install of Ubuntu 21.04, which was upgraded from Ubuntu 20.10 before) so it looks like the update from older apparmor and snap triggered the issue)

sudo apt remove apparmor && sudo apt install snapd
rivetix commented 3 years ago

Had same issue too after dist-upgrade today (all snaps didn't started), reinstalling apparmor and snapd did not helped...

After running "sudo apparmor_parser..." suggested here there was another error (exact same like @HassanAmed posted). And after some digging deeper got working snaps with sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/* It turns out that you should do this every time after reboot... and because of that i've found what caused all trouble:

○ snapd.apparmor.service - Load AppArmor profiles managed internally by snapd Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; disabled; vendor preset: disabled) Active: inactive (dead)

So finally systemctl enable --now snapd.apparmor.service fixed this for good. Hope this helps somebody.

_Note: I think that if sudo apparmor_parser -r /etc/apparmor.d/*snap-confine* helps to fix your issue than reinstalling could fix this with high chances_

sv-atoslav commented 3 years ago

sudo apt reinstall snap snapd I've already done this, but when I restart linux, the problem comes back.

I write a script, that run after login. Hope it can be useful for someone else:

# fix snap
apt purge snap snapd
apt install snap snapd
systemctl restart snapd.service
# systemctl enable snapd.service # I delete snap again after every login
# install apps
declare -a SnapList=(
    "pycharm-community --classic"
    "telegram-desktop"
    "bitwarden"
    ...
    # enumerate YOUR snaps here
)
for package in "${SnapList[@]}";do
    snap install $package
done

and add to ~/.bashrc this line export PATH="$PATH:/snap/bin/"

I run whole script with sudo permissions.

csof3cen commented 3 years ago

Thanks all for help !

ghost commented 3 years ago

kali

Screenshot_20211202_220828

The minimum number of files needed to have their definitions replaced (at least on Kali) is:

# Generic
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-update-ns.*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14066

# Example For Discord
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-update-ns.discord
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.discord.discord
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14066

The real question is, how do I get it to stay fixed across reboots and how do I do this without requiring root privileges?

ghost commented 3 years ago

I'm digging more into apparmor. It appears at least for Kali, the profiles are not loaded at all. When running the replace command, the profiles will be added in enforce mode. I'll have to update if I figure out how to get the profiles to be loaded on boot (and without pulling sudo shenanigans with .zshrc or anything.

Edit: I'm using 3.0.3-6 version of the apparmor package from Kali's repo.

ghost commented 3 years ago

This file might have some promise on getting snapd profiles to load on boot.

Screenshot_20211203_001846

ghost commented 3 years ago

Yep, that did it. Open /lib/apparmor/rc.apparmor.functions and look for the line ADDITIONAL_PROFILE_DIR= and paste your snapd profile directory into that line. For me, the profile directory was /var/lib/snapd/apparmor/profiles/.

Screenshot_20211203_002311

shdennlin commented 2 years ago

@alexis-evelyn Tanks, I also use kali linux and have the same error, and your answer solves my problem.

rangersmyth74 commented 2 years ago

Thank you all for all the different answers, and after doing many of the above tasks I was able to get pyradio working. For today anyway I am able to run Cointop without any error! This is great as I had to reinstall it every time to get it to work.

wexterhack commented 2 years ago

@a1exus you can also fix it with

sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*

@dxas90 after running this I got cannot change profile for the next exec call: No such file or directory trying to up docker containers.

sudo apt install apparmor-utils apparmor-profiles
sudo apparmor_parser --add /var/lib/snapd/apparmor/profiles/snap.mirok8s.*
sudo systemctl enable --now apparmor.service
sudo systemctl enable --now snapd.apparmor.service
stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Foorack commented 8 months ago

Having a reoccurance of this issue now. Running the two "apparmor"-commands fixes it temporarily, but the issue comes back after reboot. Several machines impacted simultaniously.

davidshare commented 2 months ago

I have tried almost everything here, but I am stuck with the error:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Please make sure that the snapd.apparmor service is enabled and started.