Am 17.01.25 um 19:16 schrieb Bastian Blank: > Control: tags -1 upstream > Controm: forwarded -1 > https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch > > On Thu, Jan 16, 2025 at 02:16:18PM +0100, Guido Berhoerster wrote: >> From my superficial reading of the code the error seems to come from here: >> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/apparmor/lsm.c?h=v6.12.6#n1313 > > Yes, it does. > >> It appears that AppArmor SO_PEERSEC support for unix domain sockets bound to >> a filesystem path name is missing from the upstream kernel and is only >> enabled as a side effect of a patch distributed with AppArmor: >> https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch >> Ubuntu kernels contain a rebased variant of the patch which is likely why >> SO_PEERSEC works on Ubuntu. > > This comes from the addition of apparmor_unix_stream_connect. Without > it the peer context is never set. > >> The reason I stumbled on this issue is that we (ubports-team) are currently >> packaging lomiri-content-hub which implicitly relies on SO_PEERSEC through >> the DBus daemon to get the AppArmor profile of a process requesting to >> export a file. Without this it is not possible to confine Lomiri/Ubuntu >> Touch apps running on Debian. > > So someone needs to properly submit this support upstream.
>From my understanding the AppArmor project has kept this as an out-of-tree patch because it will have to be reworked when/if LSM stacking lands (see [1]). I don't follow kernel development closely but LSM-stacking has been under discussion for more than a decade now with no end in sight. Would you consider including this patch into Debian? The patch itself is very likely to be maintained by Ubuntu as they also make use of SO_PEERSEC. [1] https://lwn.net/Articles/804906/ -- Guido Berhoerster
