This technique looks quite promising. I have a few questions though: 1. if I do the aa_query_label() check followed by an open() call to read it, am I open to the same race conditions as if I was relying on access() to check permissions?
2. if the given path is a symlink, am I checking for permission to read the symlink or the destination of the symlink, or both? If this lets us replace the FD passing hack, I'd love to use it. I'm just wondering how to safely use it in a race free manner. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381713 Title: Support policy query interface for file To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
