[apparmor] file mmap() with no name?

John Johansen john.johansen at canonical.com
Thu Jul 28 03:52:21 UTC 2016

On 07/26/2016 05:35 AM, Mark Wadham wrote:
> what does this mean?
> [231011.527784] audit: type=1400 audit(1469536509.129:16792): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=758 comm="apache2" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
> I'm confused because name=""
It means the file did not resolve to a any name.

This can happen for various reasons, but I will try to break this one down.

The file is disconnected from the namespace, there are many reasons this
could happen
- its been passed into a new mount namespace
- its been lazily unmounted
- its a file outside the chroot

when a disconnected path happens, apparmor will fall back to the dentry
path to report some name associated with the error. Some times this will
give a partial path helping you identify the file. In other cases the
dentry path returned is just the root ("/") or a number, or pipe:1234, or
some such.  To avoid confusion apparmor removes any leading "/" when
reporting the disconnected path.

So this is a case of the denty path returning "/".  That does not mean
that the file is at /, the real path is a combination of the dentry path
and mount, but the mount is outside of the current namespace and can not be

More information about the AppArmor mailing list