kernel-packages team mailing list archive

Thread
Date

[Bug 1235478] [NEW] AppArmor doesn't label AF_UNIX sockets created with socketpair()

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Fri, 04 Oct 2013 21:26:16 -0000
Reply-to: Bug 1235478 <1235478@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In 13.10, AppArmor added the ability to get the AppArmor label of the peer on
the other end of an UNIX domain socket.

However, it doesn't work for sockets created with socketpair(). The
getsockopt() syscall returns ENOPROTOOPT.

This is not an urgent bug and it does not affect any program that I'm
aware of.

To test, compile the attached socketpair.c program and run it:

$ gcc -o socketpair socketpair.c -lapparmor && ./socketpair 
aa_getpeercon: Protocol not available

Running socketpair through strace shows the failed syscall:

$ strace -e getsockopt ./socketpair
getsockopt(4, SOL_SOCKET, SO_PEERSEC, 0x1166010, 0x7fff20b95aac) = -1 ENOPROTOOPT (Protocol not available)
aa_getpeercon: Protocol not available
+++ exited with 1 +++

Running socketpair under AppArmor confinement results in the same error:

$ echo "profile f { file, }" | sudo apparmor_parser -qr
$ aa-exec -p f ./socketpair
aa_getpeercon: Protocol not available

** Affects: linux (Ubuntu)
     Importance: Low
     Assignee: John Johansen (jjohansen)
         Status: Triaged

** Attachment added: "Test program"
   https://bugs.launchpad.net/bugs/1235478/+attachment/3860181/+files/socketpair.c

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1235478

Title:
  AppArmor doesn't label AF_UNIX sockets created with socketpair()

Status in “linux” package in Ubuntu:
  Triaged

Bug description:
  In 13.10, AppArmor added the ability to get the AppArmor label of the peer on
  the other end of an UNIX domain socket.

  However, it doesn't work for sockets created with socketpair(). The
  getsockopt() syscall returns ENOPROTOOPT.

  This is not an urgent bug and it does not affect any program that I'm
  aware of.

  To test, compile the attached socketpair.c program and run it:

  $ gcc -o socketpair socketpair.c -lapparmor && ./socketpair 
  aa_getpeercon: Protocol not available

  Running socketpair through strace shows the failed syscall:

  $ strace -e getsockopt ./socketpair
  getsockopt(4, SOL_SOCKET, SO_PEERSEC, 0x1166010, 0x7fff20b95aac) = -1 ENOPROTOOPT (Protocol not available)
  aa_getpeercon: Protocol not available
  +++ exited with 1 +++

  Running socketpair under AppArmor confinement results in the same
  error:

  $ echo "profile f { file, }" | sudo apparmor_parser -qr
  $ aa-exec -p f ./socketpair
  aa_getpeercon: Protocol not available

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1235478/+subscriptions

Follow ups

[Bug 1235478] Re: AppArmor doesn't label AF_UNIX sockets created with socketpair()
From: Tyler Hicks, 2014-05-06
[Bug 1235478] [NEW] AppArmor doesn't label AF_UNIX sockets created with socketpair()
From: Tyler Hicks, 2013-10-04

References

[Bug 1235478] [NEW] AppArmor doesn't label AF_UNIX sockets created with socketpair()
From: Tyler Hicks, 2013-10-04