[Bug 359338] Re: apparmor paths are broken when using encrypted home on jaunty

Steve Beattie Mon, 13 Apr 2009 13:30:50 -0700

The issue here is that apparmor is being asked whether to grant
permission to both the encrypted and unencrypted filenames; you can see
this if you use the following profile in jamie's test case above:


#include <tunables/global>

/tmp/359338.sh {
  #include <abstractions/base>

  /bin/dash rix,
  /bin/touch rix,
  /tmp/359338.sh r,

  audit owner @{HOME}/test.txt rw,
  audit owner @{HOME}/.Private/** rw,
}

This will result in the following showing up in the apparmor log when
user foo runs the script:

[ 6753.287224] type=1501 audit(1239653800.125:47): operation="inode_create" 
requested_mask="a::" fsuid=1001 name="/home/foo/test.txt" pid=5441 
profile="/tmp/359338.sh"
[ 6753.287235] type=1501 audit(1239653800.125:48): operation="inode_create" 
requested_mask="a::" fsuid=1001 
name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---"
 pid=5441 profile="/tmp/359338.sh"
[ 6753.287843] type=1501 audit(1239653800.125:49): operation="setattr" 
requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," 
name="/home/foo/test.txt" pid=5441 profile="/tmp/359338.sh"
[ 6753.287853] type=1501 audit(1239653800.125:50): operation="setattr" 
requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," 
name="/home/foo/test.txt" pid=5441 profile="/tmp/359338.sh"
[ 6753.287862] type=1501 audit(1239653800.125:51): operation="setattr" 
requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," 
name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---"
 pid=5441 profile="/tmp/359338.sh"
[ 6753.287873] type=1501 audit(1239653800.125:52): operation="setattr" 
requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," 
name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---"
 pid=5441 profile="/tmp/359338.sh"

which is a pretty atrocious workaround, but I doubt anything better can
be done before jaunty is released.

-- 
apparmor paths are broken when using encrypted home on jaunty
https://bugs.launchpad.net/bugs/359338
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 359338] Re: apparmor paths are broken when using encrypted home on jaunty

Reply via email to