AppArmor

AppArmor logs denial for when the device path is ENOENT

Bug #1482943 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned

Bug Description

Example log message

[ 303.419688] audit: type=1400 audit(1438946700.236:9): apparmor="DENIED" operation="mount" profile="lxd_lxd_0.14-git0" name="/var/lib/apps/lxd/0.14-git0/dev/lxd/" pid=940 comm="lxd" flags="rw, bind"

where the mount tried to
  bind -o bind,rw "/var/lib/apps/lxd/0.14-git0/lxd/devlxd" "/var/lib/apps/lxd/0.14-git0/dev/lxd/"

but the src path "/var/lib/apps/lxd/0.14-git0/lxd/devlxd" does not exist.

The reason apparmor logs a denial is because to tries to lookup the kern_path of the src as parth of determining permissions and fails. However this mount will fail even with apparmor disabled as the same kernel_path call is made by the bind mount path after security_sb_mount has granted permission.

If apparmor is going to log this message it should report info, error, and srcname like below, so it is clear why it is failing.

[ 303.419688] audit: type=1400 audit(1438946700.236:9): apparmor="DENIED" operation="mount" info="failed dev name lookup" error=-2 profile="lxd_lxd_0.14-git0" name="/var/lib/apps/lxd/0.14-git0/dev/lxd/" pid=940 comm="lxd" srcname="/var/lib/apps/lxd/0.14-git0/lxd/devlxd" flags="rw, bind"

Revision history for this message
John Johansen (jjohansen) wrote :

Fix is in the apparmor 3.5 kernel patches

Changed in apparmor:
status: New → Fix Committed
John Johansen (jjohansen)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.