kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #169574
[Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
** Description changed:
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past
this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R
/etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
+
+ Downgrading to the -13 kernel resolves the issue:
+ $ cat /proc/version_signature
+ Ubuntu 4.4.0-13.29-generic 4.4.5
** Package changed: ubuntu-core-launcher (Ubuntu) => linux (Ubuntu)
** Changed in: linux (Ubuntu)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Description changed:
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
+
+ There is an apparmor denial:
+ audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get past
this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R
/etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
- $ cat /proc/version_signature
+ $ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5
** Description changed:
+ $ sudo apt-get install ubuntu-snappy
+ $ sudo snappy install ubuntu-core
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get past
this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R
/etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1562989
Title:
'aa_change_onexec failed with -1. errmsg: Permission denied'
Status in linux package in Ubuntu:
Confirmed
Bug description:
$ sudo apt-get install ubuntu-snappy
$ sudo snappy install ubuntu-core
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get
past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R
/etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions
