To ensure that we don't unwittingly break snapd AppArmor confinement, it is useful to have a vetted set of tests with the same starting and ending point.
To test snapd.apparmor confinement, start by resetting the snapd environment to a known good state:
# remove the hello-world snap if installed
sudo snap remove hello-world
# remove the AppArmor cache
sudo rm -rf /var/cache/apparmor
# reinstall snapd and apparmor and ensure that aa-lsm-hook and usysoncf triggers run
sudo eopkg it --reinstall snapd apparmor
If you have more than the hello-world snap installed, please sudo snap remove
all installed snaps.
At this point, either relog or reboot the machine on which the test is being run.
After the relog/reboot, check that the following works:
# check the status of the snapd.apparmor.service (it should be enabled and running in the green)
sudo systemctl status snapd.apparmor.service
# install and run the hello-world snap
sudo snap install hello-world
snap run hello-world
The expected output of snap run hello-world
with a correctly configured snapd AppArmor confinement:
$ snap run hello-world
Hello World!
If something is wrong with how the snapd AppArmor confinement is set up, the error state will typically look something like this:
$ snap run hello-world
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Please make sure that the snapd.apparmor service is enabled and started.