This bug was fixed in 14.04 LTS. $ cat /proc/version_signature Ubuntu 3.13.0-24.46-generic 3.13.9
$ gcc -o socketpair socketpair.c -lapparmor && ./socketpair con = "unconfined"; mode = "(null)" $ echo "profile f { file, }" | sudo apparmor_parser -qr $ aa-exec -p f ./socketpair con = "f"; mode = "enforce" ** Changed in: linux (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1235478 Title: AppArmor doesn't label AF_UNIX sockets created with socketpair() Status in “linux” package in Ubuntu: Fix Released Bug description: In 13.10, AppArmor added the ability to get the AppArmor label of the peer on the other end of an UNIX domain socket. However, it doesn't work for sockets created with socketpair(). The getsockopt() syscall returns ENOPROTOOPT. This is not an urgent bug and it does not affect any program that I'm aware of. To test, compile the attached socketpair.c program and run it: $ gcc -o socketpair socketpair.c -lapparmor && ./socketpair aa_getpeercon: Protocol not available Running socketpair through strace shows the failed syscall: $ strace -e getsockopt ./socketpair getsockopt(4, SOL_SOCKET, SO_PEERSEC, 0x1166010, 0x7fff20b95aac) = -1 ENOPROTOOPT (Protocol not available) aa_getpeercon: Protocol not available +++ exited with 1 +++ Running socketpair under AppArmor confinement results in the same error: $ echo "profile f { file, }" | sudo apparmor_parser -qr $ aa-exec -p f ./socketpair aa_getpeercon: Protocol not available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1235478/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp