On Tue, Aug 06, 2019 at 01:36:23PM +0200, Mikhail Morfikov wrote: > apparmor="DENIED" operation="getattr" info="Failed name lookup - > disconnected path" error=-13 profile="app2" \ name="apparmor/.null" > pid=55644 comm="app2" requested_mask="r" denied_mask="r" fsuid=1 ouid=0 > > So when the confined *app1* calls the confined *app2*, I get the "Failed > name lookup - disconnected path" error, but when the unconfined *app1* > calls the confined *app2*, I don't get this error. Also when I execute > the *app2* manually, I don't get the error.
I believe this case, app1 is opening a file descriptor and giving that file descriptor to app2. There's some amount of filesystem namespace operations in play -- app2's view of the filesystem doesn't include that file. This means that when a file with a name in the filesystem like etc/shadow is resolved, apparmor can't tell you if it's from /var/chroot/ or from /. You've got several approaches possible: - run both processes in the same filesystem namespace, so files have names that are meaningful to both - use the flags=(attach_disconnected) modifier to your second profile; this will cause apparmor to 're-root' files on / and give them a name. You might get a new DENIED message after this to report which file you'll need to add to your profile. Hopefully we'll have something more pleasing in the future, but this is where it's at today. I hope this helps. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
