It is analogous to access, however the set of races is smaller. Only the
privileged MAC admin user can change the policy, where with access a
user may change a files permissions. If you are using this to test
whether you can open a file, in hopes that open() won't deny it, then
yes this is similar to access, in that permissions can change.  If this
is being used by a trusted helper to determine check permissions that it
enforces then it is different in that it is the trusted helper who ends
up enforcing permissions. So it will depend on how/what you are using
the interface for. With a split between kernel policy and user space
decisions there will always be some potential for races; that even
exists in the kernel as opening a file does not guarantee the rights to
continue to access the file, those rights can be revoked by a policy
replacement and subsequent writes or reads could fail.

With that said, yes we recognize the need for an fd based query, and
other improvements to help expand what can be done safely from userspace

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381713

Title:
  Support policy query interface for file

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to