On 1/29/24 09:26, Sergio Costas Rodriguez wrote:
El 29/1/24 a las 17:48, John Johansen escribió:
On 1/29/24 08:31, Sergio Costas Rodriguez wrote:
Hi all,
I'm using aa_getpeercon() to get info about a socket, but in some kernels with
odd apparmor configurations it returns ENOPROTOOPT. But the manpage doesn't
list that error in the possible errors of this call. Under which circumstances
can that error be returned?
to use aa_getpeercon() your kernel will need the fine grained unix mediation
which hasn't land in upstream kernels yet. So current upstream kernels will
return -ENOPROTOOPT because SO_PEERLABEL is not a supported protocol option.
Additionally note that with LSM stacking, with apparmor stacked with another
LSM, even if you have the fine grained af_unix mediation, that aa_getpeercon()
will either return an error or the wrong LSM info (it will depend on the
version aa_getpeercon() that is in use.
Mmm... does that mean that Ubuntu kernels have that patch included? Do you know
since which version?
yes, variation iterations of it for a long time. Unfortunately the patches took
some liberties that really weren't appropriate for upstream, and also had some
inconsistencies around fs vs non-fs variants of unix sockets making it not
suitable for upstream.
There needed to be work on the apparmor core to fix those issues, that work is
now largely done and a new variant of the fine grained unix mediation patch
will hopefully land soon.