** Description changed:
+ == Precise SRU Justification ==
+
+ This bug causes access failures when apparmor is mediating files with
+ long pathnames. This problem is easy to trip when a confined application
+ tries to access data encrypted with ecryptfs, but can occur on any
+ filesystem.
+
+ == Fix ==
+
+ Commit cffee16e8b997ab947de661e8820e486b0830c94 from security/next queue
+ for 3.5 kernel fixes the issue
+
+ == Impact ==
+
+ Users/application/daemons can not access the affected files while
+ confined, which can result in application failures, users unable to
+ access data, and confusion as the error message reported by the shell is
+ "Cannot open: Stale NFS file handle", whether or not NFS is in use.
+
+ == Test Case ==
+
+ Run tests in from the updated apparmor regression test suite in qrt.
+
+ or manually
+ create a confined shell
+ mount encryptfs, with file name obfuscation enabled
+ from an unconfined shell created a 4 deep directory structure within the
ecryptfs mount
+ create a file in the deepest directory
+ attempt to access the file from the confined shell
+
+
AppArmor denies access to files with a path length > 255 characters with
the error message "Failed name lookup - disconnected path".
Example log entry:
Mar 15 11:43:45 felix-desktop kernel: [ 6051.608954] type=1400
audit(1331808225.843:4896): apparmor="DENIED" operation="mknod" info="Failed
name lookup - disconnected path" error=-116 parent=24422
profile="/usr/bin/lintian"
name="temp-lintian-lab-xpvh_Pjhrm/pool/v/virtualbox/virtualbox_4.1.10-dfsg-1_source/virtualbox_4.1.10-dfsg.orig.tar.bz2.tmp-extract.5399h/virtualbox-4.1.10-dfsg/src/VBox/Devices/EFI/Firmware2/VBoxPkg/Library/VBoxOemHookStatusCodeLib/VBoxOemHookStatusCodeLib.c"
pid=24433 comm="tar" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
It seems to omit the mount point in the path name (/tmp/).
The path_max parameter is much larger:
% sudo cat /sys/module/apparmor/parameters/path_max
8192
-
% uname -a
Linux felix-desktop 3.2.0-18-generic #29-Ubuntu SMP Fri Mar 9 21:36:08 UTC
2012 x86_64 x86_64 x86_64 GNU/Linux
% dpkg -l | grep apparmor
ii apparmor 2.7.100-0ubuntu1
User-space parser utility for AppArmor
ii apparmor-notify 2.7.100-0ubuntu1
AppArmor notification system
ii apparmor-utils 2.7.100-0ubuntu1
Utilities for controlling AppArmor
ii dh-apparmor 2.7.100-0ubuntu1
AppArmor debhelper routines
ii libapparmor-perl 2.7.100-0ubuntu1
AppArmor library Perl bindings
ii libapparmor1 2.7.100-0ubuntu1
changehat AppArmor library
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/955892
Title:
Failed name lookup - disconnected path error for long path names
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/955892/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
