[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
To answer the question posed on IRC. I do not know at this time if any fix to this will be SRUed to Xenial. A proper generic fix will require a new userspace api. The owner conditional can not be properly generically answered without subject context. This api can be fixed for the inquiring tasks subject querying against the the object, but the the generic case of querying where an external helper task H needs to query whether task A with profile P can access file F can not be fixed with the current api. Fixing the query using the subjects task is possible to SRU Xenial. The generic fix of a new API will not be SRUed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Seems as if label lookup is done using dbus: https://github.com/ubports /content-hub/blob/xenial/src/com/ubuntu/content/utils.cpp#L254 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
AppArmor userspace in use: AppArmor parser version 2.10.95 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Nothing special from what I could gather, just: -) Calling an internal utility function for getting the allow status: https://github.com/ubports/content-hub/blob/xenial/src/com/ubuntu/content/detail/transfer.cpp#L187 -) Which eventually lands here: https://github.com/ubports/content-hub/blob/xenial/src/com/ubuntu/content/utils.cpp#L354 No special pid lookups or anything. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Alfred, which version of apparmor userspace is Ubuntu touch using? You can use apparmor_parser -V to find out -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
How is content hub looking up the confinement (label) of the task. Are you using pids, looking through /proc//, using aa_gettaskcon? This will help with creating an interface wrapper for query_label so we can pass the needed information to the kernel. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
We're hitting this bug in UBports Ubuntu Touch on the Sony Xperia X (4.4 kernel, xenial AppArmor) as in #6 and #12, apps using content-hub to request files from a confined application fail receiving the file due to aa_query_label returning a denial before trying transfering a file. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Retriaging these down to Medium. People worked around this in different ways and High was obviously inflated since it isn't fixed yet (I just verified with 5.0.0-25.26-generic and apparmor 2.13.2-9ubuntu6.1). ** Changed in: apparmor Importance: High => Medium ** Changed in: apparmor (Ubuntu) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
** Branch linked: lp:~ci-train-bot/webbrowser-app/webbrowser-app-ubuntu- zesty-2615 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
** Branch linked: lp:webbrowser-app/staging -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
FWIW, this bug was stopping the webbrowser from being able to export a PDF to the printing 'app'. This was due to content-hub using libapparmor to check if the app was able to read the path, and the webbrowser-app using an apparmor manifest which generated a rule with owner in it. It would be good to get this fixed to prevent other apps using content- hub failing to import/export. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
John: that would be useful. Our code already tracks the peer's UID, so it will hopefully be quite easy to hook up what ever you've come up with. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
James, I can give you access to a custom kernel and library that provides a fix for the apparmor end if you would like. The issue is that these are not in the distro yet, and have not been backported to earlier releases (yet). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
I had a go writing a custom interface to allow thumbnailer to access the private files of another snap here: https://github.com/snapcore/snapd/pull/2783 Unfortunately access to ~/snap/$name is also guarded by the "owner" modifier, so it suffers from the same problems as checking for access granted by the home interface. So this will be a problem on systems built on core as well as classic desktops. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Please ignore my last comment about this affecting scopes... It was a different root cause afterwards (missing mime database and gdk-pixbuf loaders/cache - https://code.launchpad.net/~stolowski/unity8-session- snap/thumbnailer-fixes/+merge/310756 should fix it). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
This also affects scopes, we get empty art for thumbnailers uri such as image://thumbnailer/file:///snap/unity8-session/... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
this is the bug that causes the thumbnails to be blank for camera-app and gallery-app snaps -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
** Tags added: snap-desktop-issue -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Triaging this bug lead me to discover bug #1620791. This bug will need to be fixed before, or at the same time as, bug #1620791 is fixed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Important is high as we'll need a fix soon in order for thumbnailer- service to run as a snap. ** Changed in: apparmor Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu) Importance: Critical => High ** Changed in: apparmor (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
** Tags added: aa-feature aa-kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Confirmed Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1620635] Re: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
After thinking this through some more and discussing with John Johansen, the current query interface is not sufficient to support querying of permissions granted by owner file rules. The reason is that, when dealing with owner file rules, the decision to allow or not depends on two objects. The first is the file itself and the second is the UID associated with the process accessing the file. The current query interface only knows about the file and the UID associated with the process doing the *query*. The process doing the query is almost never the same as the process attempting to access the file. ** Changed in: apparmor Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Confirmed Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
