Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled

To: Guido Berhoerster <guido+debian@berhoerster.name>, 1092591@bugs.debian.org
Subject: Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
From: Bastian Blank <waldi@debian.org>
Date: Fri, 17 Jan 2025 19:16:20 +0100
Message-id: <[🔎] 20250117181620.al3aqzdpr6gnjtcf@shell.thinkmo.de>
Reply-to: Bastian Blank <waldi@debian.org>, 1092591@bugs.debian.org
In-reply-to: <[🔎] 2b14bced-076b-4259-935c-b0356d94d028@berhoerster.name>
References: <[🔎] 173642770338.6275.10194148740238481779.reportbug@lomiri-content-hub-trixie> <[🔎] 173642770338.6275.10194148740238481779.reportbug@lomiri-content-hub-trixie> <[🔎] 173642770338.6275.10194148740238481779.reportbug@lomiri-content-hub-trixie> <[🔎] 2b14bced-076b-4259-935c-b0356d94d028@berhoerster.name> <[🔎] 173642770338.6275.10194148740238481779.reportbug@lomiri-content-hub-trixie>

Control: tags -1 upstream
Controm: forwarded -1 https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch

On Thu, Jan 16, 2025 at 02:16:18PM +0100, Guido Berhoerster wrote:
> From my superficial reading of the code the error seems to come from here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/apparmor/lsm.c?h=v6.12.6#n1313

Yes, it does.

> It appears that AppArmor SO_PEERSEC support for unix domain sockets bound to a filesystem path name is missing from the upstream kernel and is only enabled as a side effect of a patch distributed with AppArmor: https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
> Ubuntu kernels contain a rebased variant of the patch which is likely why SO_PEERSEC works on Ubuntu.

This comes from the addition of apparmor_unix_stream_connect.  Without
it the peer context is never set.

> The reason I stumbled on this issue is that we (ubports-team) are currently packaging lomiri-content-hub which implicitly relies on SO_PEERSEC through the DBus daemon to get the AppArmor profile of a process requesting to export a file. Without this it is not possible to confine Lomiri/Ubuntu Touch apps running on Debian.

So someone needs to properly submit this support upstream.

Bastian

-- 
Too much of anything, even love, isn't necessarily a good thing.
		-- Kirk, "The Trouble with Tribbles", stardate 4525.6

Reply to:

Follow-Ups:
- Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
  - From: Guido Berhoerster <guido+debian@berhoerster.name>

References:
- Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
  - From: Guido Berhoerster <guido+debian@berhoerster.name>
- Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
  - From: Guido Berhoerster <guido+debian@berhoerster.name>

Prev by Date: Bug#1091893: linux-image-6.1.0-28-amd64: Watchdog detected hard LOCKUP on CPU 8, then CPU 0
Next by Date: Processed: Re: Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
Previous by thread: Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
Next by thread: Bug#1092591: linux-image-6.12.6-amd64: SO_PEERSEC fails with ENOPROTOOPT with AppArmor enabled
Index(es):
- Date
- Thread