In preparation for an SRU, here is a minimal C testcase provided by Wolfgang Bumiller:
```
/*
# apparmor_parser -r /etc/apparmor.d/bug-profile
# (tested without the flags here as well btw.)
profile bug-profile flags=(attach_disconnected,mediate_deleted) {
network,
file,
unix,
}
int
main(int argc, char **argv)
{
int sp[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
perror("socketpair");
exit(1);
}
int rc = flock(sp[0], LOCK_EX);
printf("lock = %i (%m)\n");
close(sp[0]);
close(sp[1]);
return 0;
}
```
Another very easy way to reproduce the issue is to run "hostnamectl status" inside a container which will hang as the systemd unit (socket activated) will fail to trigger.
In preparation for an SRU, here is a minimal C testcase provided by Wolfgang Bumiller:
``` d/bug-profile attach_ disconnected, mediate_ deleted) {
/*
# apparmor_parser -r /etc/apparmor.
# (tested without the flags here as well btw.)
profile bug-profile flags=(
network,
file,
unix,
}
# gcc this.c
# ./a.out
lock = 2 (Success)
# aa-exec -p bug-profile ./a.out
lock = 2 (Permission denied)
kernel: audit: type=1400 audit(153077491 9.510:93) : apparmor="DENIED" operation= "file_lock" profile= "bug-profile" pid=21788 comm="a.out" family="unix" sock_type="dgram" protocol=0 addr=none
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/file.h>
int AF_UNIX, SOCK_DGRAM, 0, sp) != 0) { "socketpair" );
main(int argc, char **argv)
{
int sp[2];
if (socketpair(
perror(
exit(1);
}
int rc = flock(sp[0], LOCK_EX);
printf("lock = %i (%m)\n");
close(sp[0]);
close(sp[1]);
return 0;
}
```
Another very easy way to reproduce the issue is to run "hostnamectl status" inside a container which will hang as the systemd unit (socket activated) will fail to trigger.