如何修复非 Ubuntu Linux 内核 4.18 上的 snap run?

如何修复非 Ubuntu Linux 内核 4.18 上的 snap run?

我在非 Ubuntu 系统上运行 snap 应用程序:

$ snap version                                                                                                                                   
snap    2.30-5+b1
snapd   2.30-5+b1
series  16
pureos  
kernel  4.18.0-1-amd64

当我snap run某些应用程序工作,但其他应用程序返回此错误时:

cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

下列的snapcraft.io 上的建议, 我努力了:

  • 切换到测试版核心。同样的错误。

  • 修改AppArmor配置文件如下:

    1. 运行snap list以准确识别我正在使用的核心版本(核心 16-2.35.2 r 5548)

    2. 按照所述添加到末尾来修改相应的文件 ( /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine) 。ptrace read peer=unconfined,

    3. 更新 AppArmorsudo apparmor_parser -r /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine

但这没有什么区别。失败的应用程序继续失败。我还可以做些什么?


笔记

确认步骤 2:

$ tail /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine                                                                                 
    # from the core snap but we are already inside the constructed mount
    # namespace. Here the apparmor kernel module re-constructs the path to
    # snap-update-ns using the "hostfs" mount entry rather than the more
    # "natural" /snap mount entry but we have no control over that.  This is
    # reported as (LP: #1716339). The variants here represent different
    # locations of snap mount directory across distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,

    ptrace read peer=unconfined,
}

答案1

进行以下附加更改解决了该问题。这些步骤在 snapcraft 线程上对其他用户不起作用,但他们确实为我工作。我不确定之前的任何更改实际上是否是不必要的。

  1. 修改/etc/apparmor.d/usr.lib.snapd.snap-confine.real为在最后添加ptrace read peer=unconfined,,如下:

    $ tail /etc/apparmor.d/usr.lib.snapd.snap-confine.real                                                                                       
            # But we don't want anyone to touch /snap/bin
            audit deny mount /snap/bin/** -> /**,
            audit deny mount /** -> /snap/bin/**,
    
            # Allow the content interface to bind fonts from the host filesystem
            mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
        }
    
        ptrace read peer=unconfined,
    }
    
  2. sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

相关内容