El 29/1/24 a las 17:48, John Johansen escribió:
On 1/29/24 08:31, Sergio Costas Rodriguez wrote:
Hi all,
I'm using aa_getpeercon() to get info about a socket, but in some
kernels with odd apparmor configurations it returns ENOPROTOOPT. But
the manpage doesn't list that error in the possible errors of this
call. Under which circumstances can that error be returned?
to use aa_getpeercon() your kernel will need the fine grained unix
mediation which hasn't land in upstream kernels yet. So current
upstream kernels will return -ENOPROTOOPT because SO_PEERLABEL is not
a supported protocol option.
Additionally note that with LSM stacking, with apparmor stacked with
another LSM, even if you have the fine grained af_unix mediation, that
aa_getpeercon() will either return an error or the wrong LSM info (it
will depend on the version aa_getpeercon() that is in use.
Mmm... does that mean that Ubuntu kernels have that patch included? Do
you know since which version?
