Is this issue related to Bug #1890905?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738
Title:
access always denied when using @{HOME} tunable in peer_addr for
abstract socket
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
Triaged
Bug description:
With this profile:
#include <tunables/global>
profile test {
#include <abstractions/base>
# Parses but always denied
unix (connect, receive, send)
type=stream
peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
# parses and allows access
# unix (connect, receive, send)
# type=stream
# peer=(addr="@/home/*/.cache/ibus/dbus-*"),
}
In one terminal I start a server:
$ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo
Then in another terminal do:
$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test --
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
connect() failed
With the following denial (and no output from the server terminal):
apparmor="DENIED" operation="connect" profile="test" pid=3665
comm="abstract-client" family="unix" sock_type="stream" protocol=0
requested_mask="send receive connect" denied_mask="send connect" addr=none
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"
Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
works:
$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test --
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
MESSAGE FROM SERVER: received message number 1
(with the server displaying 'MESSAGE FROM CLIENT: hi')
Attached is the server and client code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
