I did some testing with C to ensure Go wasn't doing something behind our backs:
#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <stdlib.h>
int main(int argc, char* argv[]) { int fd, ret;
fd = open("testing", O_WRONLY | O_APPEND #if 1 | O_CREAT , 0660); #else ); #endif if (fd == -1) { perror("open"); exit(1); } else { ret = write(fd, "hello\n", 6); if (ret != 6) { perror("write"); exit(1); } } return 0; }
Change the #if 1 to #if 0 to see the difference the O_CREAT flag has on the log output.
Here is the profile I used:
#include <tunables/global>
/home/sarnold/demos/append flags=(complain) { #include <abstractions/base>
/home/sarnold/demos/append mr, /home/sarnold/demos/testing a,
}
Without O_CREAT here are the log messages:
type=AVC msg=audit(1404847907.250:4570): apparmor="ALLOWED" operation="file_perm" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4409 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
With O_CREAT here are the log messages:
type=AVC msg=audit(1404847924.482:4571): apparmor="ALLOWED" operation="open" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4419 comm="append" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 type=AVC msg=audit(1404847924.482:4572): apparmor="ALLOWED" operation="file_perm" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4419 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
It sure feels like the semantics of the 'a' permission have changed.
Thanks
I did some testing with C to ensure Go wasn't doing something behind our backs:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char* argv[]) {
int fd, ret;
fd = open("testing", O_WRONLY | O_APPEND
#if 1
| O_CREAT , 0660);
#else
);
#endif
if (fd == -1) {
perror("open");
exit(1);
} else {
ret = write(fd, "hello\n", 6);
if (ret != 6) {
perror("write");
exit(1);
}
}
return 0;
}
Change the #if 1 to #if 0 to see the difference the O_CREAT flag has on the log output.
Here is the profile I used:
#include <tunables/global>
/home/sarnold/ demos/append flags=(complain) {
#include <abstractions/base>
/home/ sarnold/ demos/append mr, sarnold/ demos/testing a,
/home/
}
Without O_CREAT here are the log messages:
type=AVC msg=audit( 1404847907. 250:4570) : apparmor="ALLOWED" operation= "file_perm" profile= "/home/ sarnold/ demos/append" name="/ home/sarnold/ demos/testing" pid=4409 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
With O_CREAT here are the log messages:
type=AVC msg=audit( 1404847924. 482:4571) : apparmor="ALLOWED" operation="open" profile= "/home/ sarnold/ demos/append" name="/ home/sarnold/ demos/testing" pid=4419 comm="append" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 1404847924. 482:4572) : apparmor="ALLOWED" operation= "file_perm" profile= "/home/ sarnold/ demos/append" name="/ home/sarnold/ demos/testing" pid=4419 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
type=AVC msg=audit(
It sure feels like the semantics of the 'a' permission have changed.
Thanks