execv failed: Operation not permitted

Bug #1560211 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
Jamie Strandboge

Bug Description

The 4.4.0-15.31 kernel includes changes to apparmor that honor NO_NEW_PRIVS, but this breaks the launcher with:

$ hello-world.env
execv failed: Operation not permitted

The 4.4.0-15.31 kernel was promoted to release before the corresponding change to ubuntu-core-launcher was uploaded: https://code.launchpad.net/~jdstrand/ubuntu-core-launcher/ubuntu-core-launcher.nnp-off/+merge/289683

Changed in ubuntu-core-launcher (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 1.0.20 to xenial.

Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.20

ubuntu-core-launcher (1.0.20) xenial; urgency=medium

  * don't set NO_NEW_PRIVS. This requires changing privilege dropping since
    CAP_SYS_ADMIN is needed with seccomp_load(). This means temporarily
    dropping until seccomp_load(), then raising before and permanently
    dropping after the filter is applied. As a result, setuid/setgid is
    required in all policy (but is still mediated by AppArmor)
    - LP: #1560211

 -- Jamie Strandboge <email address hidden> Mon, 21 Mar 2016 15:24:33 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers