yes something like this should work. However 600 will not be the correct check, as in some cases the owner may differ, especially in the virtualized case because vfs doesn't let us virtualize the file's owner.
Currently this file isn't virtualized to the poilicy namespace, and that is why the restriction was put in place to keep containers from doing things they shouldn't with other policy namespaces. It will be virtualized by 4.14, we can land that change in Ubuntu for 17.10 and SRU. We have no plans to require/use bind mounts to get around owner virtualization, but with the 4.13 we added the ability for securityfs to do magic symlinks, which allows a virtualization like nsfs is doing. We could make this a magic symlink to a file owned by the correct user if need be, in which case 600 would be sufficient. I think for now the test needs to be for any possible write, 222, so we will need to do some masking on the returned value. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692543 Title: Regression tests cannot write to apparmor path_max module parameter in artful/4.11 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1692543/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
