[apparmor] Question about "Failed name lookup - disconnected path"
Mikhail Morfikov
mmorfikov at gmail.com
Wed Aug 7 11:19:37 UTC 2019
On 07/08/2019 05:34, John Johansen wrote:
> name="apparmor/.null" says that it is an fd that was inherited and apparmor did a
> revalidation on it and the access was denied so the fd was duped to a special null
> device files instead of out right closing it (there are good reasons for doing this).
>
> So you will need to look back in your log for an apparmor=DENIED message, with
> operation="file_inherit" that should give you the actual file in this case.
Ok, I see.
>
> I should note that on newer kernels we don't generally audit apparmor/.null so
> you will only get the file_inherit denial logged.
>
I have 5.2.6 kernel and usually I use the latest stable.
I have another question, what about this message?
kernel: [42605.998291][ T22] audit: type=1400 audit(1565176324.321:851): apparmor="ALLOWED" \
operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="userdel" \
name="" pid=24997 comm="userdel" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Here *name=""* is empty. So what about this case?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190807/e338678b/attachment.sig>
More information about the AppArmor
mailing list