** Tags added: apparmor -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1562989
Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' Status in linux package in Ubuntu: Confirmed Bug description: $ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install ubuntu-clock-app.ubuntucore-dev $ ubuntu-clock-app.clock aa_change_onexec failed with -1. errmsg: Permission denied [1] There is an apparmor denial: audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure. The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS): $ hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 $ sudo /snaps/bin/hello-world.env |grep SNAP= SNAP=/snaps/hello-world.canonical/6.0 cap-test.mvo doesn't have this problem either: $ sudo snappy install cap-test.mvo $ cap-test.xbomb If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch. Downgrading to the -13 kernel resolves the issue: $ cat /proc/version_signature Ubuntu 4.4.0-13.29-generic 4.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
