After thinking this through some more and discussing with John Johansen,
the current query interface is not sufficient to support querying of
permissions granted by owner file rules. The reason is that, when
dealing with owner file rules, the decision to allow or not depends on
two objects. The first is the file itself and the second is the UID
associated with the process accessing the file. The current query
interface only knows about the file and the UID associated with the
process doing the *query*. The process doing the query is almost never
the same as the process attempting to access the file.
** Changed in: apparmor
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the "owner" conditional
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1620635/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
