To answer the question posed on IRC. I do not know at this time if any fix to this will be SRUed to Xenial.
A proper generic fix will require a new userspace api. The owner conditional can not be properly generically answered without subject context. This api can be fixed for the inquiring tasks subject querying against the the object, but the the generic case of querying where an external helper task H needs to query whether task A with profile P can access file F can not be fixed with the current api. Fixing the query using the subjects task is possible to SRU Xenial. The generic fix of a new API will not be SRUed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
