Ubuntu 22.04 — 软件包升级 dpkg 被中断、snap-confine 具有提升的权限且不受限制以及 Firefox 启动问题

Ubuntu 22.04 — 软件包升级 dpkg 被中断、snap-confine 具有提升的权限且不受限制以及 Firefox 启动问题

在我上次升级 apt 时,系统崩溃了。当我重新启动并尝试再次升级时,系统提示:dpkg 已中断,您必须手动运行“sudo dpkg --configure -a”来更正问题。我手动升级了它,如下所示:

$ sudo apt upgrade

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem. 

$ sudo dpkg --configure -a

Setting up snapd (2.61.3+22.04) ...

Configuration file '/etc/apparmor.d/usr.lib.snapd.snap-confine.real'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** usr.lib.snapd.snap-confine.real (Y/I/N/O/D/Z) [default=N] ? N

snapd.failure.service is a disabled or a static unit not running, not starting it.
snapd.snap-repair.service is a disabled or a static unit not running, not starting it.
Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status snapd.mounts-pre.target' for details.
Could not execute systemctl:  at /usr/bin/deb-systemd-invoke line 142.
Setting up mutter-common (42.9-0ubuntu7) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for bamfdaemon (0.5.6+22.04.20220217-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Processing triggers for desktop-file-utils (0.26-1ubuntu3) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for libglib2.0-0:amd64 (2.72.4-0ubuntu2.2) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Setting up libmutter-10-0:amd64 (42.9-0ubuntu7) ...
Setting up gir1.2-mutter-10:amd64 (42.9-0ubuntu7) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...

但是我现在无法在全新重启后从桌面启动 snap 包(最近升级的,比如 Firefox):

$ cd snap
~/snap$ ls -la

drwx------ 12 ... ... 4096 Jul  6  2023 .
drwxr-x--- 27 ... ... 4096 Mär 29 09:13 ..
drwxr-xr-x  4 ... ... 4096 Apr 12  2023 atom
drwxr-xr-x  5 ... ... 4096 Mär 28 15:14 chromium
drwxr-xr-x  5 ... ... 4096 Mär 28 15:29 code
drwxr-xr-x  5 ... ... 4096 Dez 11 09:42 evince
drwxr-xr-x  5 ... ... 4096 Mär 28 08:33 firefox
drwxr-xr-x  5 ... ... 4096 Mär 28 15:29 postman
drwxr-xr-x  5 ... ... 4096 Mär 28 12:24 skype
drwxr-xr-x  5 ... ... 4096 Apr 28  2023 snapd-desktop-integration
drwxr-xr-x  4 ... ... 4096 Mär 28 20:30 snap-store
drwxr-xr-x  2 ... ... 4096 Jul  6  2023 vue

如果我跑...

$ sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

我可以从桌面再次启动它们,一切看起来都很好,但是当我重新启动系统时问题仍然存在。

然后我尝试......

$ sudo systemctl enable --now apparmor.service
$ sudo systemctl enable --now snapd.apparmor.service

或者 ...

$ sudo service start snapd
$ sudo systemctl enable snapd.service
$ sudo systemctl enable --now snapd.service

或者 ...

$ sudo snap refresh
gnome-42-2204 0+git.510a601 from Canonical✓ refreshed

或者 ...

$ sudo apt reinstall --purge apparmor

或者 ...

$ sudo cp /var/lib/snapd/apparmor/profiles/snap-confine.snapd.21184 /etc/apparmor.d/usr.lib.snapd.snap-confine.real
$ sudo systemctl restart apparmor

或者 ...

$ sudo service snapd.apparmor start
$ sudo systemctl enable snapd.service
$ sudo systemctl start snapd.service
$ service snapd.apparmor start

或者 ...

$ sudo dpkg -P snapd
$ sudo apt install snapd

...正如一些帖子所建议的那样:

https://github.com/canonical/microk8s/issues/249

https://stackoverflow.com/questions/70053614/snap-confine-has-elevated-permissions-and-is-not-confined-but-should-be-refusin

https://forum.snapcraft.io/t/sudo-apt-get-upgrade-error/12001/9

在我的日志中我看到:

Mar 28 19:43:40 ... ... systemd[...]: Started snap.firefox.firefox-1....scope.
Mar 28 19:43:40 ... ... firefox_firefox.desktop[...]: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Mar 28 19:43:40 ... ... firefox_firefox.desktop[...]: Please make sure that the snapd.apparmor service is enabled and started.
Mar 28 19:43:46 ... ... kernel: [ ...] [UFW BLOCK] IN=ens32 OUT= MAC=... SRC=... DST=... LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2

我还能尝试什么来解决这个问题,以便在重启后直接启动 Firefox?

snapd.service 和 apparmor.service 的状态检查:

$ systemctl status snapd.service
● snapd.service - Snap Daemon
     Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-03-29 09:00:28 CET; 1h 8min ago
TriggeredBy: ● snapd.socket
   Main PID: ... (snapd)
      Tasks: 9 (limit: 4519)
     Memory: 21.4M
        CPU: 2.140s
     CGroup: /system.slice/snapd.service
             └─... /usr/lib/snapd/snapd

$ systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Fri 2024-03-29 08:59:45 CET; 1h 10min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: ... (code=exited, status=0/SUCCESS)
        CPU: 182ms

Snap 和 Apparmor 版本:

$ snap version
snap    2.61.3+22.04
snapd   2.61.3+22.04
series  16
ubuntu  22.04
kernel  6.5.0-26-generic

$ dpkg -l
ii  apparmor                                   3.0.4-2ubuntu2.3                        amd64        user-space parser utility for AppArmor
ii  apparmor-profiles                          3.0.4-2ubuntu2.3                        all          experimental profiles for AppArmor security policies
ii  apparmor-utils                             3.0.4-2ubuntu2.3                        all          utilities for controlling AppArmor

测试:

$ sudo snap refresh firefox
snap "firefox" has no updates available

$ firefox
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Please make sure that the snapd.apparmor service is enabled and started.

AppArmor 先前的更改 - 限制 PDF 查看器访问互联网和预定义目录

$ sudo aa-status
$ sudo apt install apparmor-profiles apparmor-utils
$ sudo aa-enforce /etc/apparmor.d/*

相关内容