Comment 1 for bug 1339099

Seth Arnold (seth-arnold) wrote :

I did some testing with C to ensure Go wasn't doing something behind our backs:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>

int main(int argc, char* argv[]) {
 int fd, ret;

 fd = open("testing", O_WRONLY | O_APPEND
#if 1
         | O_CREAT , 0660);
#else
  );
#endif
 if (fd == -1) {
  perror("open");
  exit(1);
 } else {
  ret = write(fd, "hello\n", 6);
  if (ret != 6) {
   perror("write");
   exit(1);
  }
 }
 return 0;
}

Change the #if 1 to #if 0 to see the difference the O_CREAT flag has on the log output.

Here is the profile I used:

#include <tunables/global>

/home/sarnold/demos/append flags=(complain) {
  #include <abstractions/base>

  /home/sarnold/demos/append mr,
  /home/sarnold/demos/testing a,

}

Without O_CREAT here are the log messages:

type=AVC msg=audit(1404847907.250:4570): apparmor="ALLOWED" operation="file_perm" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4409 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

With O_CREAT here are the log messages:

type=AVC msg=audit(1404847924.482:4571): apparmor="ALLOWED" operation="open" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4419 comm="append" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(1404847924.482:4572): apparmor="ALLOWED" operation="file_perm" profile="/home/sarnold/demos/append" name="/home/sarnold/demos/testing" pid=4419 comm="append" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

It sure feels like the semantics of the 'a' permission have changed.

Thanks