[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
Looks like the kernel got some fixes and the rules for change_profile matching unconfined that we had for the launcher no longer work. Those rules seem like they weren't doing what we wanted anyway, so update them. ** Package changed: linux (Ubuntu) => ubuntu-core-launcher (Ubuntu) ** Changed in: ubuntu-core-launcher (Ubuntu) Status: Triaged => In Progress ** Changed in: ubuntu-core-launcher (Ubuntu) Assignee: Tyler Hicks (tyhicks) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in ubuntu-core-launcher package in Ubuntu: In Progress Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-core-launcher/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
** Changed in: linux (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Triaged Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
It appears that the profile name can't start with 'u'. If I change the app-profile to prepend anything other than 'u', then it works. Eg, if I update app-profile accordingly before each call to change the profile name: $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime argv[0]: ./test-1562989 argv[1]: ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 argv[2]: /usr/bin/uptime aa_change_onexec failed with -1. errmsg: Permission denied $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 u /usr/bin/uptimeargv[0]: ./test-1562989 argv[1]: u argv[2]: /usr/bin/uptime aa_change_onexec failed with -1. errmsg: Permission denied $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime argv[0]: ./test-1562989 argv[1]: fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 argv[2]: /usr/bin/uptime 15:40:27 up 18 min, 2 users, load average: 0.02, 0.10, 0.08 Wild guess would be the check for unconfined is busted. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
Here is a reproducer. See main.c for instructions. ** Attachment added: "1562989.tar.gz" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+attachment/4615205/+files/1562989.tar.gz -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
** Tags added: apparmor -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
I took the hello-world application, then adjusted its yaml to be the same as the ubuntu-clock-app (using ubuntu-cl0ck-app as the name) and was unable to reproduce. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1562989] Re: 'aa_change_onexec failed with -1. errmsg: Permission denied'
** Description changed: $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. + + Downgrading to the -13 kernel resolves the issue: + $ cat /proc/version_signature + Ubuntu 4.4.0-13.29-generic 4.4.5 ** Package changed: ubuntu-core-launcher (Ubuntu) => linux (Ubuntu) ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => Confirmed ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Description changed: $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] + + There is an apparmor denial: + audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: - $ cat /proc/version_signature + $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 ** Description changed: + $ sudo apt-get install ubuntu-snappy + $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $
