© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
After discussions in IRC, it was determined that this is expected behavior and that the test should be modified to remove the getopt permission from the list of server permissions.
The unix_socket test program calls getsockopt() after calling bind(). Because AppArmor continues to use traditional file rules for sockets bound to a filesystem path, it does not mediate some socket operations after the socket has been bound to the filesystem path and, as it turns out, the getopt permission is one of those socket operations.
In the future, AppArmor plans to support specifying filesystem pathnames in the addr conditional of unix rules. This would allow the unix rule type to be used with pathname, abstract, and unnamed AF_UNIX sockets. At that time, getopt and other socket operations could be mediated even for bound pathname AF_UNIX sockets.