How is content hub looking up the confinement (label) of the task. Are you using pids, looking through /proc/<pid>/, using aa_gettaskcon?
This will help with creating an interface wrapper for query_label so we can pass the needed information to the kernel. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1620635 Title: libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional Status in AppArmor: Triaged Status in Snappy: Won't Fix Status in apparmor package in Ubuntu: Triaged Bug description: Steps to reproduce: 1. Download and compile the following sample C app that calls aa_query_label wget https://launchpadlibrarian.net/207629699/query_file.c gcc -o query_file query_file.c -l apparmor 2. Install a snap that uses the home interface, for example demo-wget: snap install demo-wget 3. Create a file in your home: touch /home/USERNAME/testfile 4. Ask apparmor if demo-wget can read that file with query_file: ./query_file snap.demo-wget.wget /home/USERNAME/testfile Expected result: output of ./query_file command is read '/home/kaleo/toto' allowed Current result: output of ./query_file command is read '/home/kaleo/toto' denied To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
