1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Description: Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'.
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Abstract:
Debian's kernel lacks proper LinuxSecurityContext support. There is an
Apparmor-specific kernel patch that has never made it to Linux upstream
for now.
.
Details: It appears that AppArmor SO_PEERSEC support for unix domain
sockets bound to a filesystem path name is missing from the upstream
kernel and is only enabled as a side effect of a patch distributed with
AppArmor:
https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
.
Ubuntu kernels contain a rebased variant of the patch which is likely
why SO_PEERSEC works on Ubuntu.
.
See: https://bugs.debian.org/1092591
--- a/online-accounts-service/src/utils.cpp
+++ b/online-accounts-service/src/utils.cpp
@@ -33,6 +33,23 @@
{
static QString ourProfile;
+ /* Debian's kernel lacks proper LinuxSecurityContext support. There is an
+ * Apparmor-specific kernel patch that has never made it to Linux upstream
+ * for now.
+ *
+ * Details: It appears that AppArmor SO_PEERSEC support for unix domain
+ * sockets bound to a filesystem path name is missing from the upstream
+ * kernel and is only enabled as a side effect of a patch distributed with
+ * AppArmor:
+ * https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
+ *
+ * Ubuntu kernels contain a rebased variant of the patch which is likely
+ * why SO_PEERSEC works on Ubuntu.
+ *
+ * See: https://bugs.debian.org/1092591
+ */
+ return QString("unconfined");
+
QString uniqueConnectionId = message.service();
/* This is mainly for unit tests: real messages on the session bus always
* have a service name. */
|
