Thanks Alex and John for jumping in -- I did some investigation and I'm more and more persuaded that this is indeed a kernel (AppArmor bug).
The good thing is that this is 100% reproducible by just installing the latest 22.10 daily images: firefox starts with warnings, and slack does not start at all. It's also true, as first suggested by Mathias, that booting with the kernel 5.19.0-18-generic makes the problem go away. Even with that kernel there are still error messages left, related to mkdir failing, but that is due to bug 1951210 which has been fixed with https://github.com/snapcore/snapd/pull/12127 (but the fix has not been released yet, hence we still see these errors). The errors which turns out to be fatal (for slack) are those mentioned by Andreas as he submitted the bug: > update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.slack /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied The failure is on "lstat", which triggers the AppArmor's getattr permission. The audit logs with the latest kernel show a flood of denials on getattr, which disappear with the previous kernel version. Could it be that the latest kernel has changed something in the way that getattr is handled? I just found https://gitlab.com/apparmor/apparmor/-/issues/132 and I wonder if that code path has finally been enabled. ** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #132 https://gitlab.com/apparmor/apparmor/-/issues/132 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1991691 Title: cannot change mount namespace Status in Linux: New Status in linux package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Incomplete Bug description: Multiple snaps are either broken or "only" display permission denied messages. slack snap is not starting at all with: > update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.slack /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied firefox snap does start, but also logs errors: update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/doc": lstat /var/lib/snapd/hostfs/usr/share/doc: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/fonts": lstat /var/lib/snapd/hostfs/usr/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): cannot inspect "/usr/local/share/fonts": lstat /usr/local/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/gtk-doc": lstat /var/lib/snapd/hostfs/usr/share/gtk-doc: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/xubuntu-docs": lstat /var/lib/snapd/hostfs/usr/share/xubuntu-docs: permission denied update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.firefox /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: snap (not installed) ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7 Uname: Linux 5.19.0-19-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.23.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: XFCE Date: Tue Oct 4 17:29:01 2022 InstallationDate: Installed on 2017-09-26 (1834 days ago) InstallationMedia: Ubuntu-Server 17.10 "Artful Aardvark" - Alpha amd64 (20170924) SourcePackage: snap UpgradeStatus: Upgraded to kinetic on 2022-05-22 (134 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/1991691/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
