exec failed: Permission denied while mako is in /usr/bin/

[ReadWriteError]

OK get ready for a weird one.
So the contents of ~/.config/mako/config are as follows.

on-notify=exec echo "test"

OK then I execute /usr/bin/mako and then when I try to get a notification using notify-send "test" "test1". I get the following output on the console.

exec failed: Permission denied

Whats really weird is the "solution" which is this:

sudo ln /usr/bin/mako /usr/local/bin/

Then when I run /usr/local/bin/mako no issues. "test" gets output to the console and no errors. In both cases the proper notification gets displayed.

Also worth mentioning ln -s does not work. It has to be a hard link. I have tried other commands in the config like sleep and pw-play they all get the same error. Also the new hard link (or regular copy works too) doesn't have to be in /usr/local/bin/ it can be anywhere but /usr/bin/. I've also compiled the latest master from source and it made no difference. Whenever I run a mako executable that is located in /usr/bin/ I get the permission denied error.

This issue extends beyond the exec. Another thing I found that is broken is the -c option. /usr/bin/mako -c ~/.config/mako/configcopy has the following output (unless configcopy is a symbolic link to ~/.config/mako/config, then everything works).

Unable to open /home/myuser/.config/mako/configcopy for reading
Failed to parse config

/usr/bin/mako -c ~/.config/mako/config works and /usr/local/bin/mako -c ~/.config/mako/configcopy works.

I'm running debian testing with swaywm. mako is version 1.6-1. I'm sure this is something specific to my system, probably even my fault, but any insight would be appreciated.

[ammgws]

Related to #378?

[ReadWriteError]

Yes I would say this is related. I included 2 problems in 1 issue because I believe they have the same root cause and behavior.

[vilhalmer]

This sort of feels like apparmor blocking syscalls. Do you have it enabled? We probably need to update the profile for the exec binding.

[daveriedstra]

I'm having the same problem with the same symptoms, and also seeing apparmor blocking mako in journalctl:

Jan 11 11:00:24 gedachte dbus-daemon[1961]: [session uid=1000 pid=1961] Activating service name='org.freedesktop.Notifications' requested by ':1.1698' (uid=1000 pid=799189 comm="notify-send hello there ")
Jan 11 11:00:24 gedachte org.freedesktop.Notifications[799193]: Unable to open /home/dried/.config/mako/config for readingFailed to parse config
Jan 11 11:00:24 gedachte audit[799193]: AVC apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/dried/.dotfiles/sway/.config/mako/config" pid=799193 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 11 11:00:24 gedachte kernel: audit: type=1400 audit(1641916824.247:352): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/dried/.dotfiles/sway/.config/mako/config" pid=799193 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 11 11:00:24 gedachte dbus-daemon[1961]: [session uid=1000 pid=1961] Activated service 'org.freedesktop.Notifications' failed: Process org.freedesktop.Notifications exited with status 1

Pop!_OS 21.04
Sway 1.5.1
Mako 1.6

[abstractlyZach]

I am seeing the same problem. Looks like apparmor is blocking the exec calls. (I'm using the exec calls to make sounds play on notification as suggested in man 5 mako )

# ~/.config/mako/config

on-notify=exec mpv /usr/share/sounds/freedesktop/stereo/screen-capture.oga

$ grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1646854005.102:1643): apparmor="DENIED" operation="exec" profile="fr.emersion.Mako" name="/usr/bin/bash" pid=3979 comm="mako" requested_mask="x" denied_mask="x" fsuid=989644 ouid=0FSUID="leezach" OUID="root"

[emersion]

AppArmor support has been dropped: #426