Unloading apparmor profiles for snap packages on ubuntu 20.04+

I recently had the problem that apparmor was blocking operations of a nextcloud snap installation (apparmor=“DENIED“ operation=“ptrace“ profile=“snap.nextcloud.nextcloud-cron“ pid=12828 comm=“ps“ requested_mask=“read“ denied_mask=“read“ peer=“unconfined“ and such)

aa-status showed that profiles exist for these „programs“ (snap.nextcloud.nextcloud-cron).

Fully disabling apparmor via systemctl stop apparmor ****naturally**** didn’t work (I’m a BIG FAN of programs pretending to do something and not doing anything…)

So, to disable a profile in apparmor you can use aa-disable. Buuut – aa-disable needs the program executable.

If you found the snap profiles for apparmor in /var/lib/snapd/apparmor/profiles/ (Congratulations! I wouldn’t have expected them there…) you can feed them to aa-disable:
aa-disable -d /var/lib/snapd/apparmor/profiles/ snap.nextcloud.nextcloud-cron

Buuut – that doesn’t work.

Other program profiles lie under /etc/apparmor.d/ and you can stop them via that method. But not under /var/lib/snapd/apparmor/profiles/

What you need to do (Attention! That’s a hack but seems to work…)

ln -s /etc/apparmor.d/tunables /var/lib/snapd/apparmor/profiles/
ln -s /etc/apparmor.d/abstractions /var/lib/snapd/apparmor/profiles/

Did I mention that I’m not a big fan of snaps and systemd…?