Citrix Workspace AppProtection blocks snap
TL;DR: I am required to use Citrix Workspace and with it – AppProtection and it is blocking my ‘snap’ command.
I’ve been using Citrix Workspace version 24.8.0.98 and had a weird issue when running ‘snap’ command:
snap: error while loading shared libraries: libX11.so.6: cannot open shared object file: No such file or directory
The root cause had to do with the integration between Citrix AppProtection and libX11.so, which blocked running multiple applications. An example of the ‘ldd’ command would look like this:
$ ldd /lib/x86_64-linux-gnu/libX11.so.6.4.0
linux-vdso.so.1 (0x00007ffe093c5000)
/usr/local/lib/AppProtection/libAppProtection.so (0x00007192fb800000)
libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007192fbdd3000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007192fb400000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007192fbdce000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007192fbdc9000)
/lib64/ld-linux-x86-64.so.2 (0x00007192fbf5d000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007192fb000000)
libXi.so.6 => /lib/x86_64-linux-gnu/libXi.so.6 (0x00007192fbdb3000)
libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007192fbdad000)
libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007192fbda5000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007192fbcbe000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007192fbc9e000)
libXext.so.6 => /lib/x86_64-linux-gnu/libXext.so.6 (0x00007192fbc87000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007192fbc6f000)
libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007192fbc62000)
There is also a related Ubuntu bug.
Citrix make use of LD_SO_PRELOAD mechanism, in which they enforce loading their own dynamic wrapper, blocking unwanted system calls.
Attempting to install a newer version failed to solve the problem (the problem was solved until a reboot, and then it reappeared).
The affected programs were those based on ‘snap’ command. The command uses libX11.so, which was blocked by AppProtection, as noted above, and for that reason – the command ‘snap’ failed to run.
The blocker script is called by systemd in the file /usr/lib/systemd/system/preload-library-remove.sh and a quick workaround to allow you to start your own snap commands is by commenting out the AppProtection line in
/etc/ld.so.preload
Just comment out the line, save and do not exit, and your snap commands will run again. If you encounter a problem with some core components, like this:
cannot locate base snap core24: No such file or directory
you can solve it by running the commands
sudo snap disable core24
sudo snap enable core24
Then you can run the relevant snap commands. Do not forget to unhash the LD_SO_PRELOAD line in the (yet open) file /etc/ld.so.preload for AppProtection to function.