[apparmor] ENOPROTOOPT error when calling aa_getpeercon()
Sergio Costas Rodriguez
sergio.costas at canonical.com
Mon Jan 29 17:26:10 UTC 2024
El 29/1/24 a las 17:48, John Johansen escribió:
> On 1/29/24 08:31, Sergio Costas Rodriguez wrote:
>> Hi all,
>>
>> I'm using aa_getpeercon() to get info about a socket, but in some
>> kernels with odd apparmor configurations it returns ENOPROTOOPT. But
>> the manpage doesn't list that error in the possible errors of this
>> call. Under which circumstances can that error be returned?
>>
>
> to use aa_getpeercon() your kernel will need the fine grained unix
> mediation which hasn't land in upstream kernels yet. So current
> upstream kernels will return -ENOPROTOOPT because SO_PEERLABEL is not
> a supported protocol option.
>
> Additionally note that with LSM stacking, with apparmor stacked with
> another LSM, even if you have the fine grained af_unix mediation, that
> aa_getpeercon() will either return an error or the wrong LSM info (it
> will depend on the version aa_getpeercon() that is in use.
>
>
Mmm... does that mean that Ubuntu kernels have that patch included? Do
you know since which version?
More information about the AppArmor
mailing list