'aa_change_onexec failed with -1. errmsg: Permission denied'

Bug #1562989 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
Critical
Jamie Strandboge

Bug Description

$ sudo apt-get install ubuntu-snappy
$ sudo snappy install ubuntu-core
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]

There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"

Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.

The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0

$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0

cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb

If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.

Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5

summary: - 'aa_change_onexec failed with -1. errmsg: Permission denied' with snaps
- using 'unconfined' template
+ 'aa_change_onexec failed with -1. errmsg: Permission denied'
description: updated
description: updated
description: updated
description: updated
description: updated
affects: ubuntu-core-launcher (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Critical
status: New → Confirmed
description: updated
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I took the hello-world application, then adjusted its yaml to be the same as the ubuntu-clock-app (using ubuntu-cl0ck-app as the name) and was unable to reproduce.

tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is a reproducer. See main.c for instructions.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It appears that the profile name can't start with 'u'. If I change the app-profile to prepend anything other than 'u', then it works.

Eg, if I update app-profile accordingly before each call to change the profile name:
$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime
argv[0]: ./test-1562989
argv[1]: ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2
argv[2]: /usr/bin/uptime
aa_change_onexec failed with -1. errmsg: Permission denied

$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 u /usr/bin/uptimeargv[0]: ./test-1562989
argv[1]: u
argv[2]: /usr/bin/uptime
aa_change_onexec failed with -1. errmsg: Permission denied

$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime
argv[0]: ./test-1562989
argv[1]: fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2
argv[2]: /usr/bin/uptime
 15:40:27 up 18 min, 2 users, load average: 0.02, 0.10, 0.08

Wild guess would be the check for unconfined is busted.

Changed in linux (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looks like the kernel got some fixes and the rules for change_profile matching unconfined that we had for the launcher no longer work. Those rules seem like they weren't doing what we wanted anyway, so update them.

affects: linux (Ubuntu) → ubuntu-core-launcher (Ubuntu)
Changed in ubuntu-core-launcher (Ubuntu):
assignee: Tyler Hicks (tyhicks) → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.22

---------------
ubuntu-core-launcher (1.0.22) xenial; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher: update unconfined change_profile
    checks to actually work (LP: #1562989)

ubuntu-core-launcher (1.0.21) xenial; urgency=medium

  * src/main.c: setup private /dev/pts
  * debian/usr.bin.ubuntu-core-launcher: allow mounting /dev/pts
  * enforce coding style:
    - add syntax-check and fmt Makefile targets
    - use 'indent -linux'
    - debian/control: Build-Depends on indent

 -- Jamie Strandboge <email address hidden> Mon, 28 Mar 2016 10:42:57 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments