Unconfined aggregating scope can't call confined child scope to get results
Bug #1347177 reported by
Chris Wayne
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Savilerow project |
Fix Released
|
Critical
|
Unassigned | ||
unity-scopes-api |
Invalid
|
Undecided
|
Unassigned | ||
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge |
Bug Description
An unconfined scope is getting apparmor denials while getting results from a confined child scope. The denials:
Jul 22 17:06:40 ubuntu-phablet kernel: [30750.996517] type=1400 audit(140606320
The child scope has the template: ubuntu-
Related branches
Changed in savilerow: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in savilerow: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
We specifically disallow access to '/run/user/ [0-9]*/ zmq/*-r' except for '/run/user/ [0-9]*/ zmq/@{APP_ PKGNAME} _@{APP_ APPNAME} -r' since otherwise confined scopes could mess with each other. It was my understanding that aggregating scopes could call confined scopes without problems (in fact, I thought I remembered that is what the '/run/user/ [0-9]*/ zmq/c*- r' endpoints were for).
I'm not sure if the unity-scopes-api has a bug or this is a design issue, but we can't allow '/run/user/ [0-9]*/ zmq/*-r' in the policy.