AppArmor doesn't label AF_UNIX sockets created with socketpair()
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Low
|
John Johansen | ||
Bug Description
In 13.10, AppArmor added the ability to get the AppArmor label of the peer on
the other end of an UNIX domain socket.
However, it doesn't work for sockets created with socketpair(). The
getsockopt() syscall returns ENOPROTOOPT.
This is not an urgent bug and it does not affect any program that I'm aware of.
To test, compile the attached socketpair.c program and run it:
$ gcc -o socketpair socketpair.c -lapparmor && ./socketpair
aa_getpeercon: Protocol not available
Running socketpair through strace shows the failed syscall:
$ strace -e getsockopt ./socketpair
getsockopt(4, SOL_SOCKET, SO_PEERSEC, 0x1166010, 0x7fff20b95aac) = -1 ENOPROTOOPT (Protocol not available)
aa_getpeercon: Protocol not available
+++ exited with 1 +++
Running socketpair under AppArmor confinement results in the same error:
$ echo "profile f { file, }" | sudo apparmor_parser -qr
$ aa-exec -p f ./socketpair
aa_getpeercon: Protocol not available
| Tyler Hicks (tyhicks) wrote | #1 |
| Tyler Hicks (tyhicks) wrote | #2 |
| Changed in linux (Ubuntu): | |
| status: | Triaged → Fix Released |
This bug was fixed in 14.04 LTS.
$ cat /proc/version_
Ubuntu 3.13.0-
$ gcc -o socketpair socketpair.c -lapparmor && ./socketpair
con = "unconfined"; mode = "(null)"
$ echo "profile f { file, }" | sudo apparmor_parser -qr
$ aa-exec -p f ./socketpair
con = "f"; mode = "enforce"