Arch Linux User Repository

2.36 is the first release with AppArmor enabled by default on Arch.

If you do not have AppArmor enabled at boot there should be no functional changes visible.

If you wish to use snaps with Apparmor, first make sure that Apparmor is enabled during boot, see https://wiki.archlinux.org/index.php/AppArmor for details. After upgrading the package, you need to do the following steps:

• Reload the profiles: systemctl restart apparmor.service
• Restart snapd: systemctl restart snapd.service
• Load profiles for snaps: systemctl enable --now snapd.apparmor.service

FYI, AppAmor 3.1.6 was just released with a fix for the regression introduced in 3.1.5, https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6

Tblue: I see, thank you for opening the bug report. I was doubting myself since on a different computer it does work. The regressions must have been introduced after apparmor 3.1.4-1. The later version is installed on a different computer and still works fine!

Edit: I downgraded to 3.1.4-1 on this machine as well and was able to install without issues. Maybe this information is useful to your bug report.

InspectrClouseau: Indeed, see https://bugs.launchpad.net/bugs/2023814.

Seems like there is something missing in regards to apparmor. I can't install or run spotify on 6.1.31. When I disable the apparmor service and remove the kernel parameter I can install and run spotify just fine. I had build the new version including the patch of course.

With apparmor activated the installation fails with the following messages.

    2023-06-17T17:04:00+02:00 INFO Waiting for automatic snapd restart...
    error: cannot perform the following tasks:
    - Run configure hook of "spotify" snap if present (run hook "configure":
    -----
    ha-dark-sea none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-sea /snap/spotify/67/data-dir/themes/Matcha-sea none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-compact /snap/spotify/67/data-dir/themes/Materia-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark-compact /snap/spotify/67/data-dir/themes/Materia-dark-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark /snap/spotify/67/data-dir/themes/Materia-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light-compact /snap/spotify/67/data-dir/themes/Materia-light-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light /snap/spotify/67/data-dir/themes/Materia-light none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia /snap/spotify/67/data-dir/themes/Materia none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiance /snap/spotify/67/data-dir/themes/Radiance none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiant-MATE /snap/spotify/67/data-dir/themes/Radiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-dark /snap/spotify/67/data-dir/themes/Yaru-MATE-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-light /snap/spotify/67/data-dir/themes/Yaru-MATE-light none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-bark-dark /snap/spotify/67/data-dir/themes/Yaru-bark-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-bark /snap/spotify/67/data-dir/themes/Yaru-bark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-blue-dark /snap/spotify/67/data-dir/themes/Yaru-blue-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-blue /snap/spotify/67/data-dir/themes/Yaru-blue none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-dark /snap/spotify/67/data-dir/themes/Yaru-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-light /snap/spotify/67/data-dir/themes/Yaru-light none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-magenta-dark /snap/spotify/67/data-dir/themes/Yaru-magenta-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-magenta /snap/spotify/67/data-dir/themes/Yaru-magenta none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-mate-dark /snap/spotify/67/data-dir/themes/Yaru-mate-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-mate /snap/spotify/67/data-dir/themes/Yaru-mate none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-olive-dark /snap/spotify/67/data-dir/themes/Yaru-olive-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-olive /snap/spotify/67/data-dir/themes/Yaru-olive none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen-dark /snap/spotify/67/data-dir/themes/Yaru-prussiangreen-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen /snap/spotify/67/data-dir/themes/Yaru-prussiangreen none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-purple-dark /snap/spotify/67/data-dir/themes/Yaru-purple-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-purple /snap/spotify/67/data-dir/themes/Yaru-purple none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-red-dark /snap/spotify/67/data-dir/themes/Yaru-red-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-red /snap/spotify/67/data-dir/themes/Yaru-red none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-sage-dark /snap/spotify/67/data-dir/themes/Yaru-sage-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-sage /snap/spotify/67/data-dir/themes/Yaru-sage none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-viridian-dark /snap/spotify/67/data-dir/themes/Yaru-viridian-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru-viridian /snap/spotify/67/data-dir/themes/Yaru-viridian none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Yaru /snap/spotify/67/data-dir/themes/Yaru none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/elementary /snap/spotify/67/data-dir/themes/elementary none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
    update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/tmp/.X11-unix /tmp/.X11-unix none bind,ro 0 0): permission denied
    cannot update snap namespace: cannot create writable mimic over "/usr/lib/x86_64-linux-gnu": permission denied
    snap-update-ns failed with code 1
    -----)

The current snapd release (v2.59.5) suffers from openSUSE bug 1211989, which leads to errors like the following when trying to use (some?) snaps:

$ some-snap-app
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_A5z0uT: Permission denied

This has been fixed on the current snapd master branch, in commit 385d206 (GitHub PR).

Here's a patch for this AUR package that cherry-picks this commit (can be applied with git am):

From 560ae8b2a14d6761866c492b2a4d7c040f4825fb Mon Sep 17 00:00:00 2001
From: Tilman Blumenbach <tilman+git@ax86.net>
Date: Thu, 8 Jun 2023 21:26:00 +0200
Subject: [PATCH] Cherry-pick fix for incompatible AppArmor change.

Source:
https://github.com/snapcore/snapd/commit/385d206348e4dad96ab4fe0fd08f3818515e3906

See:
    - https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
    - https://github.com/snapcore/snapd/pull/12845
---
 PKGBUILD                 |  4 +++-
 snapcore-bug-12845.patch | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 snapcore-bug-12845.patch

diff --git a/PKGBUILD b/PKGBUILD
index 31bfcdf..3231fb8 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -19,8 +19,10 @@ options=('!strip' 'emptydirs' '!lto')
 install=snapd.install
 source=(
     "$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz"
+    snapcore-bug-12845.patch
 )
-sha256sums=('d2d9efbc2db7fa79edf0c73286320ab5ba039ae30874e88725ef326c618ae5df')
+sha256sums=('d2d9efbc2db7fa79edf0c73286320ab5ba039ae30874e88725ef326c618ae5df'
+            '251449de88f91778980269eda86b995b8cae6af15c90db2734707a47c18d9fb2')


 _gourl=github.com/snapcore/snapd
diff --git a/snapcore-bug-12845.patch b/snapcore-bug-12845.patch
new file mode 100644
index 0000000..7bed7da
--- /dev/null
+++ b/snapcore-bug-12845.patch
@@ -0,0 +1,29 @@
+Patch downloaded from:
+https://github.com/snapcore/snapd/commit/385d206348e4dad96ab4fe0fd08f3818515e3906.patch
+
+See: https://github.com/snapcore/snapd/pull/12845
+
+
+From 385d206348e4dad96ab4fe0fd08f3818515e3906 Mon Sep 17 00:00:00 2001
+From: Michael Vogt <mvo@ubuntu.com>
+Date: Mon, 5 Jun 2023 16:18:47 +0200
+Subject: [PATCH] snap-confine: add `tmpfs` mount rule to apparmor profile
+ (#12845)
+
+There is a bugfix to make the mount rules more strict/explicit in apparmor 3.0.10, see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10 - this affects snapd as it's current profile relies on the implicit behavior. With this commit the missing mount rule is added explicitly.
+---
+ cmd/snap-confine/snap-confine.apparmor.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
+index fb999368bc4..73d14c8c781 100644
+--- a/cmd/snap-confine/snap-confine.apparmor.in
++++ b/cmd/snap-confine/snap-confine.apparmor.in
+@@ -172,6 +172,7 @@
+ 
+     # boostrapping the mount namespace
+     /tmp/snap.rootfs_*/ rw,
++    mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
+     mount options=(rw rshared) -> /,
+     mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
+     mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
-- 
2.41.0

On a completely new installation, I have found out these packages to be required by the build of snapd: pkgconf, autoconf and automake. Otherwise, it will not build.

Just a heads up for anyone experiencing problems building, I was not able to build this package with gcc-go, but building with go works just fine.

It should probably be noted somewhere that this package needs go and not gcc-go. Or there is otherwise some issue or additional dependency when using gcc-go (i'm not sure which is true/caused it to not build with gcc-go)

Create snapd-bin

@Repp no, not really https://wiki.archlinux.org/title/Arch_User_Repository#Getting_started https://wiki.archlinux.org/title/PKGBUILD#makedepends

Because it's so hard for folks to follow, quoting here from the PKGBUILD archwiki page:

Note: The group base-devel is assumed to be already installed when building with makepkg. Members of this group should not be included in makedepends array.

automake and autoconf should be added to makedepends