Hi Philipp, On Sun, Apr 23, 2017 at 11:55:06AM +0200, Philipp Huebner wrote: > However, I cannot confirm this issue on my Debian systems with active > AppArmor and ejabberd 16.09 from backports.
I think the issue is specific to Ubuntu changes to AppArmor, which slightly changed the semantics for PROT_EXEC on subprofiles. > A diff between the profile in the 16.01 Ubuntu package and current HEAD (for > 16.09) is attached, could you try out that one instead? I've tried the diff but the problem remains: I still need "m" on the su in the su subprofile. Thanks! -Kees -- Kees Cook @debian.org
