It appears that the profile name can't start with 'u'. If I change the app-profile to prepend anything other than 'u', then it works.
Eg, if I update app-profile accordingly before each call to change the profile name: $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime argv[0]: ./test-1562989 argv[1]: ubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 argv[2]: /usr/bin/uptime aa_change_onexec failed with -1. errmsg: Permission denied $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 u /usr/bin/uptimeargv[0]: ./test-1562989 argv[1]: u argv[2]: /usr/bin/uptime aa_change_onexec failed with -1. errmsg: Permission denied $ sudo apparmor_parser -r ./app-profile ./launcher-profile && aa-exec -p launcher -- ./test-1562989 fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 /usr/bin/uptime argv[0]: ./test-1562989 argv[1]: fooubuntu-clock-app.ubuntucoredev_clock_3.6+snap2 argv[2]: /usr/bin/uptime 15:40:27 up 18 min, 2 users, load average: 0.02, 0.10, 0.08 Wild guess would be the check for unconfined is busted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1562989 Title: 'aa_change_onexec failed with -1. errmsg: Permission denied' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1562989/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
