It is analogous to access, however the set of races is smaller. Only the privileged MAC admin user can change the policy, where with access a user may change a files permissions. If you are using this to test whether you can open a file, in hopes that open() won't deny it, then yes this is similar to access, in that permissions can change. If this is being used by a trusted helper to determine check permissions that it enforces then it is different in that it is the trusted helper who ends up enforcing permissions. So it will depend on how/what you are using the interface for. With a split between kernel policy and user space decisions there will always be some potential for races; that even exists in the kernel as opening a file does not guarantee the rights to continue to access the file, those rights can be revoked by a policy replacement and subsequent writes or reads could fail.
With that said, yes we recognize the need for an fd based query, and other improvements to help expand what can be done safely from userspace -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1381713 Title: Support policy query interface for file Status in AppArmor Linux application security framework: Triaged Status in Media Hub: New Status in Media Scanner v2: New Status in Thumbnail generator for all kinds of files: Fix Committed Status in apparmor package in Ubuntu: Fix Released Bug description: This bug tracks the work needed to support querying if a label can access a file. This is particularly useful with trusted helpers where an application requests access to a file and the trusted helper does something with it. For example, on Ubuntu when an app wants to play a music file, it (eventually) goes through the media-hub service. The media-hub service should be able to query if the app's policy has access to the file. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
