snapd

snapd is not removing apparmor profiles when removing snaps

Bug #1915823 reported by Alfonso Sanchez-Beato on 2021-02-16

This bug report is a duplicate of: Bug #1818241: unloadProfiles from interfaces/apparmor/apparmor.go does not unload any profiles. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	New	Undecided	Unassigned

Bug Description

Removing a snap is not removing related apparmor profiles from the kernel:

$ snap install bluez
$ snap remove bluez
$ snap list
Name Version Rev Tracking Publisher Notes
core 16-2.48.2.1 10828 latest/stable canonical✓ core
core18 20210128 1990 latest/stable canonical✓ base
lxd 4.0.5 19206 4.0/stable/… canonical✓ -
snapd 2.48.2.1 11043 latest/stable canonical✓ snapd
$ sudo apparmor_status
apparmor module is loaded.
56 profiles are loaded.
56 profiles are in enforce mode.
...
   snap-update-ns.bluez
   snap-update-ns.core
   snap-update-ns.lxd
   snap.bluez.bluetoothctl
   snap.bluez.bluez
   snap.bluez.btattach
   snap.bluez.btmgmt
   snap.bluez.btmon
   snap.bluez.hciattach
   snap.bluez.hciconfig
   snap.bluez.hcidump
   snap.bluez.hcitool
   snap.bluez.meshctl
   snap.bluez.obex
   snap.bluez.obexctl
   snap.bluez.sdptool
...

stracing snapd while removing the snap reveals that is is calling "apparmor_parser --replace" insted of "--remove": https://paste.ubuntu.com/p/KGQnHG94xQ/

Revision history for this message

Paweł Stołowski (stolowski) wrote on 2021-02-23:

This is an old problem, extensively documented in the code (interfaces/apparmor/apparmor.go) and explained in more detail by Jamie in the existing bug: https://bugs.launchpad.net/snapd/+bug/1818241

Marking as duplicate.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1818241 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.