AppArmor should support changing the security context of a threaded process
Bug #1552341 reported by
Tyler Hicks
This bug affects 49 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Triaged
|
Low
|
Unassigned | ||
| Canonical System Image |
Confirmed
|
Low
|
Zoltan Balogh | ||
Bug Description
The aa_change_profile() and aa_change_onexec() functions are not safe to use with multi-threaded processes because only the main thread will be transitioned. We should support a way to transition all threads of a multi-threaded process.
One immediate user of the feature would be mapplauncherd in Ubuntu Touch. The QML booster starts the QML engine as part of its pre-caching work. Since the QML engine is multi-threaded, the QML booster cannot be used for confined apps on Ubuntu Touch because there's no way to transition all the threads to the necessary profile for app confinement.
Revision history for this message
| Andrea Bernabei (faenil) wrote | #1 |
Revision history for this message
| Pat McGowan (pat-mcgowan) wrote | #2 |
| Changed in canonical-devices-system-image: | |
| assignee: | nobody → Zoltan Balogh (bzoltan) |
| importance: | Undecided → Low |
| status: | New → Confirmed |
Revision history for this message
| Tyler Hicks (tyhicks) wrote | #3 |
| Changed in apparmor: | |
| importance: | High → Low |
Revision history for this message
| Pat McGowan (pat-mcgowan) wrote | #4 |
To post a comment you must log in.
This would be immensely beneficial to our platform, it would be great to get some resources assigned to it :)