Marking the Snappy task as "Wont't Fix" for now. This theoretically
could be fixed in snapd's home interface by dropping the "owner" prefix
but I don't think that's the correct fix for this bug. Either
libapparmor or the kernel need to handle the owner conditional better or
the calling application should do another query for owned files.
** Changed in: snappy
Status: New => Won't Fix
** Summary changed:
- libapparmor's aa_query_label() always returns allowed = 0 for snaps
+ libapparmor's aa_query_label() always returns allowed = 0 for file rules
containing the "owner" conditional
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the "owner" conditional
Status in AppArmor:
Confirmed
Status in Snappy:
Won't Fix
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
Steps to reproduce:
1. Download and compile the following sample C app that calls aa_query_label
wget https://launchpadlibrarian.net/207629699/query_file.c
gcc -o query_file query_file.c -l apparmor
2. Install a snap that uses the home interface, for example demo-wget:
snap install demo-wget
3. Create a file in your home:
touch /home/USERNAME/testfile
4. Ask apparmor if demo-wget can read that file with query_file:
./query_file snap.demo-wget.wget /home/USERNAME/testfile
Expected result:
output of ./query_file command is
read '/home/kaleo/toto' allowed
Current result:
output of ./query_file command is
read '/home/kaleo/toto' denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
