AppArmor

AF_TIPC not supported by parser when it is in the kernel

Bug #732837 reported by Jamie Strandboge on 2011-03-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Undecided	Unassigned
	2.6	Fix Released	Medium	Unassigned	AppArmor 2.6.1

Bug Description

If in python I do something like:
s = socket.socket(socket.AF_TIPC, socket.SOCK_RDM, 0)

I see this in the audit log:
type=AVC msg=audit(1299788719.107:159859): apparmor="DENIED" operation="create" parent=17142 profile="/home/jamie/tmp/test-net.py" pid=17143 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

If I then try to add rules for this in my profile:
network tipc,
network rdm,

I get:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/home.jamie.tmp.test-net.py
AppArmor parser error for /etc/apparmor.d/home.jamie.tmp.test-net.py in /etc/apparmor.d/home.jamie.tmp.test-net.py at line 39: Invalid network entry.

Leaving out the 'network tipc,' rule, but leaving 'rdm', the parser is ok, but I still get denials:
type=AVC msg=audit(1299789277.284:159863): apparmor="DENIED" operation="create" parent=17339 profile="/home/jamie/tmp/test-net.py" pid=17340 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

Related branches

lp:apparmor/2.12

lp:apparmor/2.6

lp:ubuntu/natty/apparmor

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-03-10:

FYI, this also fails:
s = socket.socket(socket.AF_TIPC, socket.SOCK_SEQPACKET, 0)

Revision history for this message

John Johansen (jjohansen) wrote on 2011-03-10:

aa.patch Edit (591 bytes, text/plain)

There were several families being screened out because they caused build failures under previous releases. This is no longer the case and I have attached a proposed patch

Revision history for this message

Steve Beattie (sbeattie) wrote on 2011-03-17:

Fix committed to trunk and to the apparmor-2.6 branch.