Public bug reported:
Binary package hint: apparmor
When a program uses O_CREAT|O_RDONLY, AppArmor always requires rw.
Normal permissions are such that it requires r unless the file does not exist,
in which case it requires rw.
You can try this with ACLs if you like to verify.
As a result of this, one has to give rw in the AppArmor profile, even if there
is no expectation of the file ever not existing.
In other words, for programs that do this, I cannot effectively protect them
with AppArmor. AppArmor needs to require w only if the file does not exist, to
match what happens in the rest of Linux.
As to where I ran into this, all Visual Basic 6 programs use OPEN_ALWAYS
when opening random access files, even if the file is for reading. Most
of these files always exist, it just happens to be an artifact of the
compiler. VB6 programs using random access files presently cannot be
AppArmored effectively. I suspect there are other programs, but this is
a whole class of them (though one rarely used on Linux, I admit).
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
AppArmored O_CREAT|O_RDONLY differs in behavior from ACLs
https://bugs.launchpad.net/bugs/514286
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
