rule with owner match has fsuid=1000 ouid=0 denial with named socket with owner permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
Electron applications use this to ensure only one instance of the application is running: https:/
Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:
$ ls -l /run/user/
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS
In snappy, we have the following rule:
owner /run/user/
Under certain circumstances[1] a read denial pops out due to owner mismatch:
apparmor=“DENIED” operation=
but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid and doesn't have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.
[1]https:/
description: | updated |