Is append mode useful?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I think the 'a' append mode may not be useful.
Including 'a' in a profile is insufficient for writing to the file, at least on 3.13.0-77-generic.
Here's a sample profile:
#include <tunables/global>
/home/sarnold/
#include <abstractions/base>
/home/
/home/
}
And I'll attach a sample program shortly.
When using O_APPEND | O_WRONLY:
If the file exists, denied_mask="w"
If the file doesn't exist, open() fails, no AA involvement
When using O_APPEND | O_WRONLY | O_CREAT:
No change when the file does or doesn't exist: denied_mask="c", denied_mask="w"
(When using enforce mode instead of complain mode, only denied_mask="c" gets logged; the open(2) fails and the write(2) is never called.)
$ rm testing
rm: cannot remove ‘testing’: No such file or directory
$ ./append append wronly ; ls -l testing
open: No such file or directory
ls: cannot access testing: No such file or directory
$ ./append append wronly creat ; ls -l testing
open: Permission denied
ls: cannot access testing: No such file or directory
$ ./append append rdwr ; ls -l testing
open: No such file or directory
ls: cannot access testing: No such file or directory
$ ./append append rdwr creat ; ls -l testing
open: Permission denied
ls: cannot access testing: No such file or directory
Thanks
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.95~
ProcVersionSign
Uname: Linux 3.13.0-77-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Feb 11 15:55:45 2016
InstallationDate: Installed on 2012-10-18 (1211 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1)
KernLog:
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
UpgradeStatus: Upgraded to trusty on 2014-04-12 (670 days ago)
modified.
mtime.conffile.
tags: | added: aa-kernel |