[apparmor] Question about attach_disconnected
apparmor at raf.org
apparmor at raf.org
Tue Jul 3 23:41:59 UTC 2018
Hi,
I once reported an apparmor message where the name="" was missing
the leading / and was advised to use the attach_disconnected flag.
I'm getting a similar message again:
type=AVC msg=audit(1530626112.960:424568): apparmor="DENIED" operation="open"
info="Failed name lookup - disconnected path" error=-13
profile="/usr/sbin/apache2//indexcgi" name="var/thing/data/.plain"
pid=6195 comm="index.cgi" requested_mask="rw" denied_mask="rw" fsuid=33 ouid=0
I searched for documentation on the attach_disconnected flag and eventually found:
https://www.suse.com/documentation/sles-12/book_security/data/sec_apparmor_profiles_glob.html
Attach flags consist of two pairs of mutually exclusive flags:
attach_disconnected or no_attach_disconnected (determine if
path names resolved to be outside of the namespace are
attached to the root, which means they have the '/' character
at the beginning), and chroot_attach or chroot_no_attach
(control path name generation when in a chroot environment
while a file is accessed that is external to the chroot but
within the namespace).
Under what circumstances would path names resolve to be outside of the namespace?
I'm wondering if there's any reason not to always use the attach_disconnected flag.
I assume there must be since no_attach_disconnected seems to be the default.
Thanks,
raf
More information about the AppArmor
mailing list