touch-packages team mailing list archive

Thread
Date

[Bug 514286] Re: AppArmored O_CREAT|O_RDONLY differs in behavior from ACLs

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 08 Oct 2014 22:46:41 -0000
Reply-to: Bug 514286 <514286@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: apparmor (Ubuntu)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/514286

Title:
  AppArmored O_CREAT|O_RDONLY differs in behavior from ACLs

Status in “apparmor” package in Ubuntu:
  Won't Fix

Bug description:
  Binary package hint: apparmor

  When a program uses O_CREAT|O_RDONLY, AppArmor always requires rw.
  Normal permissions are such that it requires r unless the file does not exist, in which case it requires rw.
  You can try this with ACLs if you like to verify.

  As a result of this, one has to give rw in the AppArmor profile, even if there is no expectation of the file ever not existing.
  In other words, for programs that do this, I cannot effectively protect them with AppArmor. AppArmor needs to require w only if the file does not exist, to match what happens in the rest of Linux.

  As to where I ran into this, all Visual Basic 6 programs use
  OPEN_ALWAYS when opening random access files, even if the file is for
  reading. Most of these files always exist, it just happens to be an
  artifact of the compiler. VB6 programs using random access files
  presently cannot be AppArmored effectively. I suspect there are other
  programs, but this is a whole class of them (though one rarely used on
  Linux, I admit).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/514286/+subscriptions