[apparmor] Question about "Failed name lookup - disconnected path"

[Mikhail Morfikov]

I have two apps: *app1* and *app2*, and *app1* calls/executes *app2* at 
some point in time.

When I create an AppArmor profile for *app2* only, the *app2* works
well, and there's no problem with its confinement. When now I create an 
AppArmor profile for *app1* and inside of this profile I use 
"/bin/app2 rPUx," rule to execute *app2*, I get:

apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="app2" \
  name="apparmor/.null" pid=55644 comm="app2" requested_mask="r" denied_mask="r" fsuid=1 ouid=0

So when the confined *app1* calls the confined *app2*, I get the "Failed 
name lookup - disconnected path" error, but when the unconfined *app1* 
calls the confined *app2*, I don't get this error. Also when I execute 
the *app2* manually, I don't get the error.

It looks like this situation happens only for a small amount of apps in 
my system, but I don't really know why. So what's wrong with it? 
Shouldn't the error be in all cases (the app executed manually and 
executed from the other confined/unconfined app)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190806/adf895e0/attachment.sig>