Ubuntu
ubuntu-core-launcher package

execv failed: Operation not permitted

Bug #1560211 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
Fix Released
Critical
Jamie Strandboge

Bug Description

The 4.4.0-15.31 kernel includes changes to apparmor that honor NO_NEW_PRIVS, but this breaks the launcher with:

$ hello-world.env
execv failed: Operation not permitted
[1]

The 4.4.0-15.31 kernel was promoted to release before the corresponding change to ubuntu-core-launcher was uploaded: https://code.launchpad.net/~jdstrand/ubuntu-core-launcher/ubuntu-core-launcher.nnp-off/+merge/289683

Tags: apparmor
Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 1.0.20 to xenial.

Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.20

---------------
ubuntu-core-launcher (1.0.20) xenial; urgency=medium

  * don't set NO_NEW_PRIVS. This requires changing privilege dropping since
    CAP_SYS_ADMIN is needed with seccomp_load(). This means temporarily
    dropping until seccomp_load(), then raising before and permanently
    dropping after the filter is applied. As a result, setuid/setgid is
    required in all policy (but is still mediated by AppArmor)
    - LP: #1560211

 -- Jamie Strandboge <email address hidden> Mon, 21 Mar 2016 15:24:33 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.