After thinking this through some more and discussing with John Johansen,
the current query interface is not sufficient to support querying of
permissions granted by owner file rules. The reason is that, when
dealing with owner file rules, the decision to allow or not depends on
two objects. The first is the file itself and the second is the UID
associated with the process accessing the file. The current query
interface only knows about the file and the UID associated with the
process doing the *query*. The process doing the query is almost never
the same as the process attempting to access the file.
** Changed in: apparmor
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the "owner" conditional
Status in AppArmor:
Triaged
Status in Snappy:
Won't Fix
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
Steps to reproduce:
1. Download and compile the following sample C app that calls aa_query_label
wget https://launchpadlibrarian.net/207629699/query_file.c
gcc -o query_file query_file.c -l apparmor
2. Install a snap that uses the home interface, for example demo-wget:
snap install demo-wget
3. Create a file in your home:
touch /home/USERNAME/testfile
4. Ask apparmor if demo-wget can read that file with query_file:
./query_file snap.demo-wget.wget /home/USERNAME/testfile
Expected result:
output of ./query_file command is
read '/home/kaleo/toto' allowed
Current result:
output of ./query_file command is
read '/home/kaleo/toto' denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
