[apparmor] file mmap() with no name?
John Johansen
john.johansen at canonical.com
Thu Jul 28 03:52:21 UTC 2016
On 07/26/2016 05:35 AM, Mark Wadham wrote:
> what does this mean?
>
> [231011.527784] audit: type=1400 audit(1469536509.129:16792): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=758 comm="apache2" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
>
>
> I'm confused because name=""
>
It means the file did not resolve to a any name.
This can happen for various reasons, but I will try to break this one down.
The file is disconnected from the namespace, there are many reasons this
could happen
- its been passed into a new mount namespace
- its been lazily unmounted
- its a file outside the chroot
when a disconnected path happens, apparmor will fall back to the dentry
path to report some name associated with the error. Some times this will
give a partial path helping you identify the file. In other cases the
dentry path returned is just the root ("/") or a number, or pipe:1234, or
some such. To avoid confusion apparmor removes any leading "/" when
reporting the disconnected path.
So this is a case of the denty path returning "/". That does not mean
that the file is at /, the real path is a combination of the dentry path
and mount, but the mount is outside of the current namespace and can not be
resolved.
More information about the AppArmor
mailing list