[apparmor] Question about "Failed name lookup - disconnected path"
Seth Arnold
seth.arnold at canonical.com
Tue Aug 6 22:24:44 UTC 2019
On Tue, Aug 06, 2019 at 01:36:23PM +0200, Mikhail Morfikov wrote:
> apparmor="DENIED" operation="getattr" info="Failed name lookup -
> disconnected path" error=-13 profile="app2" \ name="apparmor/.null"
> pid=55644 comm="app2" requested_mask="r" denied_mask="r" fsuid=1 ouid=0
>
> So when the confined *app1* calls the confined *app2*, I get the "Failed
> name lookup - disconnected path" error, but when the unconfined *app1*
> calls the confined *app2*, I don't get this error. Also when I execute
> the *app2* manually, I don't get the error.
I believe this case, app1 is opening a file descriptor and giving that
file descriptor to app2. There's some amount of filesystem namespace
operations in play -- app2's view of the filesystem doesn't include that
file.
This means that when a file with a name in the filesystem like etc/shadow
is resolved, apparmor can't tell you if it's from /var/chroot/ or from /.
You've got several approaches possible:
- run both processes in the same filesystem namespace, so files have names
that are meaningful to both
- use the flags=(attach_disconnected) modifier to your second profile;
this will cause apparmor to 're-root' files on / and give them a name.
You might get a new DENIED message after this to report which file
you'll need to add to your profile.
Hopefully we'll have something more pleasing in the future, but this is
where it's at today.
I hope this helps.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190806/17289139/attachment.sig>
More information about the AppArmor
mailing list