Comment 3 for bug 1590720

Thank you for filing a bug. It is actually seccomp (not AppArmor) that is blocking this call. You can workaround this for now by installing with --devmode. We don't allow the chown family of syscalls at this time because that would open holes in the sandbox.

Today, you can adjust your program to not use fchown or to create a small LD_PRELOAD library that you can ship with your that implements a no-op for fchown.

Soon we will have seccomp argument filtering in our sandbox which will allow us to then, for example, allow apps to chown files to their own UID and GID, but we'd need to figure out a way to do this dynamically (perhaps the launcher could unconditionally add chown calls for the UID/GID, this needs more thought). Alternatively, the designed-but-not-yet-implemented snappy preload library could do something with chown so developers wouldn't have to.