我在非 Ubuntu 系统上运行 snap 应用程序:
$ snap version
snap 2.30-5+b1
snapd 2.30-5+b1
series 16
pureos
kernel 4.18.0-1-amd64
当我snap run的一些应用程序工作,但其他人返回此错误:
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
按照snapcraft.io 的建议,我尝试过:
切换到 beta 核心。同样的错误。
修改 AppArmor 配置文件如下:
运行
snap list以确定我正在使用的核心版本(核心 16-2.35.2 r 5548)修改适当的文件 (
/etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine),如所述添加ptrace read peer=unconfined,到末尾。使用更新 AppArmor
sudo apparmor_parser -r /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine
但这没有什么区别。失败的应用程序继续失败。我还可以做些什么?
笔记
确认第 2 步:
$ tail /etc/apparmor.d/snap.core.5548.usr.lib.snapd.snap-confine
# from the core snap but we are already inside the constructed mount
# namespace. Here the apparmor kernel module re-constructs the path to
# snap-update-ns using the "hostfs" mount entry rather than the more
# "natural" /snap mount entry but we have no control over that. This is
# reported as (LP: #1716339). The variants here represent different
# locations of snap mount directory across distributions.
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
ptrace read peer=unconfined,
}
进行以下附加更改解决了该问题。这些步骤不适用于 snapcraft 线程上的其他用户,但它们确实对我有用。我不确定之前的任何更改是否实际上是不必要的。
/etc/apparmor.d/usr.lib.snapd.snap-confine.real在末尾添加修改ptrace read peer=unconfined,,如下:sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*