我在非 Ubuntu 系统上运行 snap 应用程序:
$ snap version
snap 2.30-5+b1
snapd 2.30-5+b1
series 16
pureos
kernel 4.18.0-1-amd64
当我snap run
某些应用程序工作,但其他应用程序返回此错误时:
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
下列的snapcraft.io 上的建议, 我努力了:
切换到测试版核心。同样的错误。
修改AppArmor配置文件如下:
运行
snap list
以准确识别我正在使用的核心版本(核心 16-2.35.2 r 5548)按照所述添加到末尾来修改相应的文件 (
/etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine
) 。ptrace read peer=unconfined,
更新 AppArmor
sudo apparmor_parser -r /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine
但这没有什么区别。失败的应用程序继续失败。我还可以做些什么?
笔记
确认步骤 2:
$ tail /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine
# from the core snap but we are already inside the constructed mount
# namespace. Here the apparmor kernel module re-constructs the path to
# snap-update-ns using the "hostfs" mount entry rather than the more
# "natural" /snap mount entry but we have no control over that. This is
# reported as (LP: #1716339). The variants here represent different
# locations of snap mount directory across distributions.
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
ptrace read peer=unconfined,
}
答案1
进行以下附加更改解决了该问题。这些步骤在 snapcraft 线程上对其他用户不起作用,但他们确实为我工作。我不确定之前的任何更改实际上是否是不必要的。
修改
/etc/apparmor.d/usr.lib.snapd.snap-confine.real
为在最后添加ptrace read peer=unconfined,
,如下:$ tail /etc/apparmor.d/usr.lib.snapd.snap-confine.real # But we don't want anyone to touch /snap/bin audit deny mount /snap/bin/** -> /**, audit deny mount /** -> /snap/bin/**, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**, } ptrace read peer=unconfined, }
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*