rule with owner match has fsuid=1000 ouid=0 denial with named socket with owner permissions

Bug #1731012 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Electron applications use this to ensure only one instance of the application is running:

Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:

$ ls -l /run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS

In snappy, we have the following rule:

  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,

Under certain circumstances[1] a read denial pops out due to owner mismatch:

apparmor=“DENIED” operation=“file_perm” profile=“snap.mailspring.mailspring” name="/run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc/SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid and doesn't have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.


Tags: aa-kernel
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.