| 2016-03-28 18:11:15 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2016-03-28 19:20:34 |
Jamie Strandboge |
summary |
'aa_change_onexec failed with -1. errmsg: Permission denied' with snaps using 'unconfined' template |
'aa_change_onexec failed with -1. errmsg: Permission denied' |
|
| 2016-03-28 19:24:32 |
Jamie Strandboge |
description |
$ bzr branch lp:~dpm/ubuntu-clock-app/snap-all-things ubuntu-clock-app.dpm
$ snapcraft
$ sudo snappy install --allow-unauthenticated ubuntu-clock-app_3.6+snap2_amd64.snap
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Confined apps seem to work ok:
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0 |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0 |
|
| 2016-03-28 19:27:29 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0 |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.mvo |
|
| 2016-03-28 19:28:16 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.mvo |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb |
|
| 2016-03-28 19:43:51 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. |
|
| 2016-03-28 19:54:33 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5 |
|
| 2016-03-28 19:56:19 |
Jamie Strandboge |
affects |
ubuntu-core-launcher (Ubuntu) |
linux (Ubuntu) |
|
| 2016-03-28 19:56:19 |
Jamie Strandboge |
linux (Ubuntu): importance |
Undecided |
Critical |
|
| 2016-03-28 19:56:19 |
Jamie Strandboge |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2016-03-28 19:56:19 |
Jamie Strandboge |
linux (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-03-28 19:56:35 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5 |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5 |
|
| 2016-03-28 20:01:14 |
Jamie Strandboge |
description |
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5 |
$ sudo apt-get install ubuntu-snappy
$ sudo snappy install ubuntu-core
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]
There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"
Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.
The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0
cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb
If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.
Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5 |
|
| 2016-03-28 20:12:23 |
Jamie Strandboge |
tags |
|
apparmor |
|
| 2016-03-28 20:28:55 |
Jamie Strandboge |
attachment added |
|
1562989.tar.gz https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+attachment/4615205/+files/1562989.tar.gz |
|
| 2016-03-28 20:50:51 |
Jamie Strandboge |
linux (Ubuntu): status |
Confirmed |
Triaged |
|
| 2016-03-28 21:11:54 |
Jamie Strandboge |
affects |
linux (Ubuntu) |
ubuntu-core-launcher (Ubuntu) |
|
| 2016-03-28 21:11:54 |
Jamie Strandboge |
ubuntu-core-launcher (Ubuntu): status |
Triaged |
In Progress |
|
| 2016-03-28 21:11:54 |
Jamie Strandboge |
ubuntu-core-launcher (Ubuntu): assignee |
Tyler Hicks (tyhicks) |
Jamie Strandboge (jdstrand) |
|
| 2016-03-28 21:28:31 |
Jamie Strandboge |
ubuntu-core-launcher (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2016-03-29 10:41:27 |
Launchpad Janitor |
ubuntu-core-launcher (Ubuntu): status |
Fix Committed |
Fix Released |
|
