[apparmor] [PATCH] profiles: rw file perms are now needed on AF_UNIX socket files

John Johansen john.johansen at canonical.com
Tue Jan 7 21:04:07 UTC 2014

On 12/22/2013 07:22 AM, Christian Boltz wrote:
> Hello,
> Am Donnerstag, 19. Dezember 2013 schrieb Tyler Hicks:
>> The AppArmor kernel now checks for both read and write permissions
>> when a process calls connect() on a UNIX domain socket.
>> The patch updates a four abstractions that were found to be needing
>> changes after the kernel change.
> Does this affect all sockets?
> There are some more "candidates" I found while grepping through the profiles:
> # grep -r ' w,' . |grep -v '/ w,'   # pid files, logs etc. manually removed from the list
> ./abstractions/nameservice:  /{,var/}run/avahi-daemon/socket w,
> ./abstractions/base:  /dev/log                       w,
> ./abstractions/mdns:  /{,var/}run/mdnsd w,
> ./abstractions/apparmor_api/change_profile:@{PROC}/@{tid}/attr/{current,exec} w,
> ./abstractions/apache2-common:  @{PROC}/@{pid}/attr/current                        w,
> ./abstractions/X:  /tmp/.X11-unix/*           w,
> ./usr.lib.dovecot.dovecot-auth:  /var/spool/postfix/private/dovecot-auth w,
> ./usr.sbin.winbindd:  /var/lib/samba/winbindd_privileged/pipe w,
> ./usr.sbin.winbindd:  /var/log/samba/log.winbindd-idmap w,
> ./usr.sbin.winbindd:  /{var/,}run/samba/winbindd/pipe w,
> ./sbin.syslogd:  /dev/tty*                     w,
> ./sbin.syslog-ng:  /dev/log w,
> ./sbin.syslog-ng:  /dev/syslog w,
> ./sbin.syslog-ng:  @{CHROOT_BASE}/var/lib/*/dev/log w,
> ./usr.sbin.nscd.orig:  /{,var/}run/avahi-daemon/socket w,
> ./usr.sbin.dovecot:  /var/spool/postfix/private/* w,
> ./usr.sbin.avahi-daemon:  /{,var/}run/avahi-daemon/socket w,
> Do you think some of them need to be changed from w to rw? If yes, which ones?
yes, and no

generally it will affect all sockets, but there are a couple ways to get socket
connections without going through connect sockpair, and fd inheritance of a handle.

More information about the AppArmor mailing list