Marking the Snappy task as "Wont't Fix" for now. This theoretically could be fixed in snapd's home interface by dropping the "owner" prefix but I don't think that's the correct fix for this bug. Either libapparmor or the kernel need to handle the owner conditional better or the calling application should do another query for owned files.
** Changed in: snappy Status: New => Won't Fix ** Summary changed: - libapparmor's aa_query_label() always returns allowed = 0 for snaps + libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Confirmed Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Confirmed Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp