In preparation for an SRU, here is a minimal C testcase provided by
Wolfgang Bumiller:
```
/*
# apparmor_parser -r /etc/apparmor.d/bug-profile
# (tested without the flags here as well btw.)
profile bug-profile flags=(attach_disconnected,mediate_deleted) {
network,
file,
unix,
}
# gcc this.c
# ./a.out
lock = 2 (Success)
# aa-exec -p bug-profile ./a.out
lock = 2 (Permission denied)
kernel: audit: type=1400 audit(1530774919.510:93): apparmor="DENIED"
operation="file_lock" profile="bug-profile" pid=21788 comm="a.out"
family="unix" sock_type="dgram" protocol=0 addr=none
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/file.h>
int
main(int argc, char **argv)
{
int sp[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
perror("socketpair");
exit(1);
}
int rc = flock(sp[0], LOCK_EX);
printf("lock = %i (%m)\n");
close(sp[0]);
close(sp[1]);
return 0;
}
```
Another very easy way to reproduce the issue is to run "hostnamectl
status" inside a container which will hang as the systemd unit (socket
activated) will fail to trigger.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
