Control: tags -1 upstream Controm: forwarded -1 https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
On Thu, Jan 16, 2025 at 02:16:18PM +0100, Guido Berhoerster wrote: > From my superficial reading of the code the error seems to come from here: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/apparmor/lsm.c?h=v6.12.6#n1313 Yes, it does. > It appears that AppArmor SO_PEERSEC support for unix domain sockets bound to > a filesystem path name is missing from the upstream kernel and is only > enabled as a side effect of a patch distributed with AppArmor: > https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch > Ubuntu kernels contain a rebased variant of the patch which is likely why > SO_PEERSEC works on Ubuntu. This comes from the addition of apparmor_unix_stream_connect. Without it the peer context is never set. > The reason I stumbled on this issue is that we (ubports-team) are currently > packaging lomiri-content-hub which implicitly relies on SO_PEERSEC through > the DBus daemon to get the AppArmor profile of a process requesting to export > a file. Without this it is not possible to confine Lomiri/Ubuntu Touch apps > running on Debian. So someone needs to properly submit this support upstream. Bastian -- Too much of anything, even love, isn't necessarily a good thing. -- Kirk, "The Trouble with Tribbles", stardate 4525.6
