Ubuntu
ubuntu-core-launcher package

'aa_change_onexec failed with -1. errmsg: Permission denied'

Bug #1562989 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
Fix Released
Critical
Jamie Strandboge

Bug Description

$ sudo apt-get install ubuntu-snappy
$ sudo snappy install ubuntu-core
$ sudo snappy install ubuntu-clock-app.ubuntucore-dev
$ ubuntu-clock-app.clock
aa_change_onexec failed with -1. errmsg: Permission denied
[1]

There is an apparmor denial:
audit: type=1400 audit(1459194964.529:35): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/ubuntu-core-launcher" name="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2" pid=2080 comm="ubuntu-core-lau" target="ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2"

Downgrading to ubuntu-core-launcher doesn't help the clock app get past this failure.

The hello-world app works ok (it needs ubuntu-core-launcher 1.0.20 since it gets past the above error and the launcher needs to account for NO_NEW_PRIVS):
$ hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0

$ sudo /snaps/bin/hello-world.env |grep SNAP=
SNAP=/snaps/hello-world.canonical/6.0

cap-test.mvo doesn't have this problem either:
$ sudo snappy install cap-test.mvo
$ cap-test.xbomb

If I disable the apparmor profile with: sudo apparmor_parser -R /etc/apparmor.d/usr.bin.ubuntu-core-launcher then the app will launch.

Downgrading to the -13 kernel resolves the issue:
$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5

See original description
Tags: apparmor
Jamie Strandboge (jdstrand)
summary: - 'aa_change_onexec failed with -1. errmsg: Permission denied' with snaps
- using 'unconfined' template
+ 'aa_change_onexec failed with -1. errmsg: Permission denied'
description: updated
Jamie Strandboge (jdstrand)
description: updated
description: updated
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
affects: ubuntu-core-launcher (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Critical
status: New → Confirmed
description: updated
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I took the hello-world application, then adjusted its yaml to be the same as the ubuntu-clock-app (using ubuntu-cl0ck-app as the name) and was unable to reproduce.

Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is a reproducer. See main.c for instructions.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It appears that the profile name can't start with 'u'. If I change the app-profile to prepend anything other than 'u', then it works.

Eg, if I update app-profile accordingly before each call to change the profile name:
$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime
argv[0]: ./test-1562989
argv[1]: ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2
argv[2]: /usr/bin/uptime
aa_change_onexec failed with -1. errmsg: Permission denied

$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 u /usr/bin/uptimeargv[0]: ./test-1562989
argv[1]: u
argv[2]: /usr/bin/uptime
aa_change_onexec failed with -1. errmsg: Permission denied

$ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime
argv[0]: ./test-1562989
argv[1]: fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2
argv[2]: /usr/bin/uptime
 15:40:27 up 18 min, 2 users, load average: 0.02, 0.10, 0.08

Wild guess would be the check for unconfined is busted.

Jamie Strandboge (jdstrand)
Changed in linux (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looks like the kernel got some fixes and the rules for change_profile matching unconfined that we had for the launcher no longer work. Those rules seem like they weren't doing what we wanted anyway, so update them.

affects: linux (Ubuntu) → ubuntu-core-launcher (Ubuntu)
Changed in ubuntu-core-launcher (Ubuntu):
assignee: Tyler Hicks (tyhicks) → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.22

---------------
ubuntu-core-launcher (1.0.22) xenial; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher: update unconfined change_profile
    checks to actually work (LP: #1562989)

ubuntu-core-launcher (1.0.21) xenial; urgency=medium

  * src/main.c: setup private /dev/pts
  * debian/usr.bin.ubuntu-core-launcher: allow mounting /dev/pts
  * enforce coding style:
    - add syntax-check and fmt Makefile targets
    - use 'indent -linux'
    - debian/control: Build-Depends on indent

 -- Jamie Strandboge <email address hidden> Mon, 28 Mar 2016 10:42:57 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.