libapparmor's aa_query_label() always returns allowed = 0 for file rules containing the "owner" conditional
Bug #1620635 reported by
Florian Boucault
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Medium
|
Unassigned | ||
Snappy |
Won't Fix
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Steps to reproduce:
1. Download and compile the following sample C app that calls aa_query_label
wget https:/
gcc -o query_file query_file.c -l apparmor
2. Install a snap that uses the home interface, for example demo-wget:
snap install demo-wget
3. Create a file in your home:
touch /home/USERNAME/
4. Ask apparmor if demo-wget can read that file with query_file:
./query_file snap.demo-wget.wget /home/USERNAME/
Expected result:
output of ./query_file command is
read '/home/kaleo/toto' allowed
Current result:
output of ./query_file command is
read '/home/kaleo/toto' denied
Related branches
lp://qastaging/webbrowser-app/staging
- system-apps-ci-bot: Needs Fixing (continuous-integration)
- Ubuntu Phablet Team: Pending requested
-
Diff: 2840 lines (+1499/-148)63 files modified.bzrignore (+0/-2)
debian/control (+7/-2)
debian/rules (+1/-1)
snapcraft.yaml (+8/-16)
src/Ubuntu/Web/ua-overrides-desktop.js.in (+9/-0)
src/Ubuntu/Web/ua-overrides-mobile.js.in (+3/-0)
src/app/ChromeBase.qml (+1/-0)
src/app/webbrowser/Browser.qml (+158/-29)
src/app/webbrowser/BrowserTab.qml (+19/-2)
src/app/webbrowser/CMakeLists.txt (+2/-0)
src/app/webbrowser/Chrome.qml (+12/-2)
src/app/webbrowser/ContextMenuMobile.qml (+10/-2)
src/app/webbrowser/Suggestions.qml (+1/-1)
src/app/webbrowser/TabComponent.qml (+33/-15)
src/app/webbrowser/TabItem.qml (+2/-2)
src/app/webbrowser/TabsBar.qml (+112/-15)
src/app/webbrowser/TabsList.qml (+2/-2)
src/app/webbrowser/drag-helper.cpp (+203/-0)
src/app/webbrowser/drag-helper.h (+91/-0)
src/app/webbrowser/reparenter.cpp (+124/-0)
src/app/webbrowser/reparenter.h (+46/-0)
src/app/webbrowser/webbrowser-app.cpp (+6/-0)
src/app/webbrowser/webbrowser-app.qml (+33/-3)
src/app/webcontainer/ContextMenuMobile.qml (+10/-2)
src/app/webcontainer/WebappWebview.qml (+5/-4)
tests/autopilot/webbrowser_app/emulators/browser.py (+7/-1)
tests/autopilot/webbrowser_app/tests/__init__.py (+40/-7)
tests/autopilot/webbrowser_app/tests/test_downloads.py (+62/-10)
tests/autopilot/webbrowser_app/tests/test_history.py (+30/-4)
tests/autopilot/webbrowser_app/tests/test_multiple_windows.py (+222/-0)
tests/autopilot/webbrowser_app/tests/test_new_tab_view.py (+10/-0)
tests/unittests/bookmarks-folder-model/CMakeLists.txt (+1/-1)
tests/unittests/bookmarks-folderlist-model/CMakeLists.txt (+1/-1)
tests/unittests/bookmarks-model/CMakeLists.txt (+1/-1)
tests/unittests/container-url-patterns/CMakeLists.txt (+1/-1)
tests/unittests/cookie-store/CMakeLists.txt (+1/-1)
tests/unittests/domain-utils/CMakeLists.txt (+1/-1)
tests/unittests/downloads-model/CMakeLists.txt (+1/-1)
tests/unittests/favicon-fetcher/CMakeLists.txt (+1/-1)
tests/unittests/history-domain-model/CMakeLists.txt (+1/-1)
tests/unittests/history-domainlist-model/CMakeLists.txt (+1/-1)
tests/unittests/history-lastvisitdatelist-model/CMakeLists.txt (+1/-1)
tests/unittests/history-model/CMakeLists.txt (+1/-1)
tests/unittests/intent-filter/CMakeLists.txt (+1/-1)
tests/unittests/limit-proxy-model/CMakeLists.txt (+1/-1)
tests/unittests/meminfo/CMakeLists.txt (+1/-1)
tests/unittests/oxide-cookie-helper/CMakeLists.txt (+1/-1)
tests/unittests/qml/CMakeLists.txt (+2/-0)
tests/unittests/qml/ReparenterFakeContainer.qml (+40/-0)
tests/unittests/qml/ReparenterFakeTab.qml (+37/-0)
tests/unittests/qml/tst_BrowserTab.qml (+3/-2)
tests/unittests/qml/tst_QmlTests.cpp (+7/-0)
tests/unittests/qml/tst_Reparenter.qml (+114/-0)
tests/unittests/qml/tst_TabsBar.qml (+2/-0)
tests/unittests/qml/tst_UbuntuWebView02.qml (+1/-0)
tests/unittests/search-engine/CMakeLists.txt (+1/-1)
tests/unittests/session-storage/CMakeLists.txt (+1/-1)
tests/unittests/session-utils/CMakeLists.txt (+1/-1)
tests/unittests/single-instance-manager/CMakeLists.txt (+1/-1)
tests/unittests/tabs-model/CMakeLists.txt (+1/-1)
tests/unittests/text-search-filter-model/CMakeLists.txt (+1/-1)
tests/unittests/webapp-container-color-helper/CMakeLists.txt (+1/-1)
tests/unittests/webapp-container-hook/CMakeLists.txt (+1/-1)
tags: | added: aa-feature aa-kernel |
tags: | added: snap-desktop-issue |
To post a comment you must log in.
I think that the problem here stems from the fact that the home interface's
rules use the "owner" prefix:
# Allow read access to toplevel $HOME for the user
owner @{HOME}/ r,
# Allow read/write access to all non-hidden files that aren't in ~/snap/ /{s,sn, sna}{,/ } rwk,
owner @{HOME}/[^s.]** rwk,
owner @{HOME}/s[^n]** rwk,
owner @{HOME}/sn[^a]** rwk,
owner @{HOME}/sna[^p]** rwk,
# allow creating a few files not caught above
owner @{HOME}
The kernel tracks these owner permissions differently than permissions that are
not tied to the owner. You can see that the allow vector is not 0x00 with strace:
$ strace -s1024 ./query_file snap.demo-wget.wget /home/tyhicks/ testfile
...
read(3, "allow 0x00000200\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67
...
The allow vector is non-zero (0x00000200) but it isn't AA_MAY_READ
(0x00000011). Instead, I think AA_MAY_READ is being left shifted by the kernel
to indicate that the "owner" prefix was present on the rule. I'll need to
verify that and then discuss among the upstream developers what to do about
this in the libapparmor query interface.
Additionally, the query_file.c test program has a bug. It redefines
AA_MAY_READ, AA_MAY_WRITE, and AA_CLASS_FILE. It gets the definitions of
AA_MAY_READ and AA_MAY_WRITE wrong. Please just use the definitions provided by
<sys/apparmor.h>.
After making that change, you can remove the "owner" prefix from the rules that
grant access to $HOME in the snap.demo-wget.wget profile, reload the profile,
and then test program will work as expected. This confirms that the "owner" prefix causes the unexpected test program results.