apparmor disallows truncate of deleted file

The attached C file can be used to reproduce, the truncate call post unlink will fail.

There have been several people in bug #449286 that are hitting this bug. Since the evince and firefox parts of that bug are fixed, I added a linux task and will mark that bug a duplicate.

This bug is likely an SRU candidate. I would prefer seeing it fixed before release, but understand if the kernel team wants to freeze their kernel.

This is more of a bug in firefox and evinve. They are relying on trunc("/some/path") working after the file has been deleted, instead they should be using trunc(fd). There use of trunc is incorrect even though it has traditionally worked because it may not get the file pointed to by the fd. If a new file is created at /some/path while fd is open (but deleted) the trunc will apply to the new file, not the open fd as is intended by their use. Further more if the parent (gp, ..) directory is moved the trunc will also fail.

Unfortunately this behavior does need to be fixed in AppArmor because it can break applications with no potential work around except to disable AppArmor mediation of the application.

I have placed a test kernel at
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.48~jj_amd64.deb

Dear John.
Currently firefox apparmor profile is disabled after update so bug with zotero is not reproduced.

Should I first enable apparmor firefox profile?

Iakov,

yes you will need to reenable the apparmor firefox profile to reproduce, however I have already had reports of issues with the patch and I am working on a new version so I would wait for the newer version.

This issue is fixed using the latest kernel John made available:
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.49~jj_amd64.deb

Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info:
 Card hw:0 'Intel'/'HDA Intel at 0xf9ff8000 irq 22'
   Mixer name : 'Analog Devices AD1989B'
   Components : 'HDA:11d4989b,10438311,00100300'
   Controls : 48
   Simple ctrls : 27
DistroRelease: Ubuntu 9.10
HibernationDevice: RESUME=UUID=83c95442-a3bb-41ea-9822-97768074dcbf
InstallationMedia: Kubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
IwConfig:
 lo no wireless extensions.

 eth0 no wireless extensions.

 eth1 no wireless extensions.
MachineType: System manufacturer P5Q-E
NonfreeKernelModules: nvidia
Package: linux (not installed)
ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.31-14-generic root=UUID=d4f7b656-5965-43fb-acc2-5bc98e3ba8c6 ro quiet splash
ProcEnviron:
 SHELL=/bin/bash
 LANG=fr_CH.UTF-8
 LANGUAGE=
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
RelatedPackageVersions:
 linux-backports-modules-2.6.31-14-generic N/A
 linux-firmware 1.24
RfKill:

Uname: Linux 2.6.31-14-generic x86_64
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
dmi.bios.date: 02/25/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 2001
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: P5Q-E
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr2001:bd02/25/2009:svnSystemmanufacturer:pnP5Q-E:pvrSystemVersion:rvnASUSTeKComputerINC.:rnP5Q-E:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.name: P5Q-E
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer

hello,

I run kubuntu karmic 9.10 x86 64 and openoffice sollice don't can be open by firefox 3.5.5pre

[90641.613862] type=1503 audit(1256979234.132:54): operation="exec" pid=9404 parent=6161 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/lib/openoffice/program/soffice"

can be sure reproducte on http://decloak.net/ , it's a great tool to see if all work fine and isolate.

best regards

Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

i have installed the patch but soffice still blocked.

[ 4412.697383] type=1503 audit(1257502872.585:25): operation="exec" pid=11113 parent=8965 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/lib/openoffice/program/soffice"

best regards

or need i open a new bug for soffice? while in fact the others are fixed, only this one still

starlights, that is a different bug, but it is known and pending merge review by the mozilla team. In the meantime, add to your firefox profile:
    /usr/lib/openoffice/program/soffice Uxr,

and reload it with 'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox-3.5'

hi Jamie,

Thanks very much for your help, i am sorry to have put on wrong place, sometime i make a new report but most at end are make dupe because similar.. anyway i understand better how work profile apparmor :)

For now all are fixed except the java applet who crash the browser for most of time.

Soffice work very well yet

best regards

hello,

I have found a new "truncate" audit in my log who was blocked. This bug don't seem to be fixed.

[169621.221525] type=1503 audit(1257668082.865:35): operation="truncate" pid=12308 parent=3052 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::w" denied_mask="::w" fsuid=1000 ouid=0 name=2F6D656469612F467265654167656E742044726976652F746F7272656E74732F5B7777772E69746F6D612E696E666F5D5F4C65732068697473206465206C686976657220323030392D49544F4D412E746F7272656E74

i have a few others new but i will open a new one while there are not the same

my best

starslights,

this is a different bug as it is missing
   info="Failed name lookup - deleted entry"
and running aa-decode finds a name with out the appended " (deleted)"

[169621.221525] type=1503 audit(1257668082.865:35): operation="truncate" pid=12308 parent=3052 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::w" denied_mask="::w" fsuid=1000 ouid=0 name='/media/FreeAgent Drive/torrents/[www.itoma.info]_Les hits de lhiver 2009-ITOMA.torrent'

which shows it is not hitting the deleted file problem being addressed by this bug, but a missing permission entry in the profile. In general the name encoding on any string that have any of set of special characters in them (space is the character triggering it in the deleted messages and here).

if you could open a new bug it would be greatly appreciated

thanks

hello John,

Thanks for your answer, done : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/479580

best regards

This bug was fixed in the package linux - 2.6.32-3.3

---------------
linux (2.6.32-3.3) lucid; urgency=low

  [ Andy Whitcroft ]

  * rebase to v2.6.32-rc6
  * [Config] update configs following rebase to v2.6.32-rc6
  * [Config] update ports configs following rebase to v2.6.32-rc6
  * resync with Karmic Ubuntu-2.6.31-15.49
  * [Config] add module ignores for broken drivers

  [ John Johansen ]

  * SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied
    - LP: #453335
  * SAUCE: AppArmor: Policy load and replacement can fail to alloc mem
    - LP: #458299
  * SAUCE: AppArmor: AppArmor fails to audit change_hat correctly
    - LP: #462824
  * SAUCE: AppArmor: AppArmor disallows truncate of deleted files.
    - LP: #451375

  [ Kees Cook ]

  * SAUCE: Fix nx_enable reporting
    - LP: #454285

  [ Scott James Remnant ]

  * Revert "SAUCE: trace: add trace_event for the open() syscall"
  * SAUCE: trace: add trace events for open(), exec() and uselib()
    - LP: #462111

  [ Stefan Bader ]

  * SAUCE: Fix sub-flavour script to not stop on missing directories
    - LP: #453073

  [ Ubuntu Changes ]

  * resync with Karmic Ubuntu-2.6.31-15.49

  [ Upstream Kernel Changes ]

  * rebase to v2.6.32-rc6
    - LP: #464552
 -- Andy Whitcroft <email address hidden> Tue, 10 Nov 2009 15:00:57 +0000

This bug was fixed in the package linux - 2.6.31-15.50

---------------
linux (2.6.31-15.50) karmic-proposed; urgency=low

  [ Kees Cook ]

  * SAUCE: Fix nx_enable reporting
    - LP: #454285

linux (2.6.31-15.49) karmic-proposed; urgency=low

  [ Benjamin Herrenschmidt ]

  * [Upstream] (drop after 2.6.31) usb-storage: Workaround devices with
    bogus sense size
    - LP: #446146

  [ John Johansen ]

  * SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied
    - LP: #453335
  * SAUCE: AppArmor: Policy load and replacement can fail to alloc mem
    - LP: #458299
  * SAUCE: AppArmor: AppArmor fails to audit change_hat correctly
    - LP: #462824
  * SAUCE: AppArmor: AppArmor disallows truncate of deleted files.
    - LP: #451375

  [ Kees Cook ]

  * SAUCE: [x86] fix report of cs-limit nx-emulation
    - LP: #454285

  [ Scott James Remnant ]

  * Revert "SAUCE: trace: add trace_event for the open() syscall"
  * SAUCE: trace: add trace events for open(), exec() and uselib()
    - LP: #462111

  [ Stefan Bader ]

  * SAUCE: Fix sub-flavour script to not stop on missing directories
    - LP: #453073

  [ Tim Gardner ]

  * [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege
    M300 to rate blacklist
    - LP: #433801

  [ Upstream Kernel Changes ]

  * PM: Make warning in suspend_test_finish() less likely to happen
    - LP: #464552
 -- Stefan Bader <email address hidden> Tue, 10 Nov 2009 14:31:52 +0100

Greetings,

Seems that this bug is affecting the latest 2.6.32-11.15 kernel in Lucid. Running the simple C program to reproduce the failure from comment #2 I get the following.

Without AppArmor profile:

open("/var/tmp/foo", O_RDWR|O_CREAT, 0700) = 3
ftruncate(3, 0) = 0
truncate("/var/tmp/foo", 0) = 0
unlink("/var/tmp/foo") = 0
ftruncate(3, 0) = 0
truncate("/var/tmp/foo", 0) = -1 ENOENT (No such file or directory)
write(2, "failed (No such file or director"..., 72failed (No such file or directory) to post unlink truncate /var/tmp/foo
) = 72
close(3) = 0
exit_group(0) = ?

With AppArmor profile:

open("/var/tmp/foo", O_RDWR|O_CREAT, 0700) = 3
ftruncate(3, 0) = 0
truncate("/var/tmp/foo", 0) = 0
unlink("/var/tmp/foo") = 0
ftruncate(3, 0) = -1 ENOENT (No such file or directory)
write(2, "failed (No such file or director"..., 60failed (No such file or directory) to post unlink ftruncate
) = 60
truncate("/var/tmp/foo", 0) = -1 ENOENT (No such file or directory)
write(2, "failed (No such file or director"..., 72failed (No such file or directory) to post unlink truncate /var/tmp/foo
) = 72
close(3) = 0
exit_group(0) = ?

type=APPARMOR_DENIED msg=audit(1264257858.066:923): operation="truncate" info="Failed name lookup - deleted entry" error=-2 pid=4911 parent=4910 profile="/tmp/trunc" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name=2F7661722F746D702F666F6F202864656C6574656429

Profile itself:

#include <tunables/global>
/tmp/trunc {
  #include <abstractions/base>
  #include <abstractions/user-tmp>
}

Please advise. Thank you for attention.

The Lucid kernel add some flags to provide better control over this and other path behaviors and it looks like the flag for deleted file lookup isn't properly being applied. It will be fixed in the next update of AppArmor.