apparmor denials reported for encrypted HOME

Bug #1574556 reported by Zygmunt Krynicki
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
Medium
Unassigned
ubuntu-core-launcher (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Xenial
Fix Released
Medium
Jamie Strandboge

Bug Description

I just did a fresh install of Ubuntu 16.04 with encrypted $HOME. I've installed my links snap and it seems to work but I see odd apparmor denials in syslog:

abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhJJq4TueYwFMXoSVrZyfk0E--/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
abr 25 12:09:25 vm kernel: audit_printk_skb: 36 callbacks suppressed

Tags: apparmor
tags: added: apparmor
Michael Vogt (mvo)
Changed in snappy:
status: New → Triaged
importance: Undecided → Medium
milestone: none → sru-2
Changed in ubuntu-core-launcher (Ubuntu):
status: New → Triaged
Changed in ubuntu-core-launcher (Ubuntu Xenial):
status: New → Triaged
Changed in ubuntu-core-launcher (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-core-launcher (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
status: Triaged → In Progress
Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.29

---------------
ubuntu-core-launcher (1.0.29) yakkety; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher: add workaround rules for ecryptfs
    until the upcoming kernel fix lands everywhere (LP: #1574556)

 -- Jamie Strandboge <email address hidden> Tue, 10 May 2016 12:10:35 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Released → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in yakkety-- not sure why it wasn't auto-closed.

ubuntu-core-launcher (1.0.29) yakkety; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher: add workaround rules for ecryptfs
    until the upcoming kernel fix lands everywhere (LP: #1574556)

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Mark Shuttleworth (sabdfl) wrote : Re: [Bug 1574556] Re: apparmor denials reported for encryped HOME

But are we backporting fixes to Xenial?

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: apparmor denials reported for encryped HOME

@Mark,

Yes, that is why I left the Xenial task open. I wanted to bundle this with another bug fix that will be ready soon.

Revision history for this message
Bruno Nova (brunonova) wrote :

I'm not sure if it's the same bug, but I'm going to comment here.

I'm using an encrypted home folder.
Snapd was working fine for me until recently. Running any snap now fails with the error:

    failed to create user data directory. errmsg: Permission denied

And these three lines are appended to the journal/syslog:

    Jun 13 21:42:32 bruno-laptop audit[7747]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/bruno/.Private/" pid=7747 comm="ubuntu-core-lau" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jun 13 21:42:32 bruno-laptop kernel: audit: type=1400 audit(1465850552.422:64): apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/bruno/.Private/" pid=7747 comm="ubuntu-core-lau" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jun 13 21:42:32 bruno-laptop kernel: ecryptfs_dir_open: Error attempting to initialize the lower file for the dentry with name [/]; rc = [-13]

As I said, it was working fine.
I don't know if this issue appeared in an update or due to something I did (no idea what it could be).
The issue doesn't seem to be specific to snapd, since my custom AppArmor profiles for other stuff were also affected.

I checked the changes done to ubuntu-core-launcher's AppArmor profile in Yakketty, and they almost work for me. The ".Private" folders themselves also needed read access.
I.e.:

    # Workaround https://launchpad.net/bugs/359338 until upstream handles
    # stacked filesystems generally.
    # encrypted ~/.Private and old-style encrypted $HOME
    owner @{HOME}/.Private/ r,
    owner @{HOME}/.Private/** mrixwlk,
    # new-style encrypted $HOME
    owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
    owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

Revision history for this message
Bruno Nova (brunonova) wrote :

Forgot to say that I'm using 16.04.

Revision history for this message
Leo Francisco (georgeowell) wrote :

I'm having the same problem as Bruno when trying to launch any snap with an encrypted home partition.

"failed to create user data directory. errmsg: Permission denied"

Revision history for this message
Redmar (redmar) wrote :

I've opened a separate bug report for snaps failing with "failed to create user data directory. errmsg: Permission denied". https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1592696

Olivier Tilloy (osomon)
summary: - apparmor denials reported for encryped HOME
+ apparmor denials reported for encrypted HOME
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Okay, so as a workaround to this problem, you need to override your $HOME environment variable. Try this:

kirkland@x250:~⟫ sudo /snap/bin/docker run hello-world
failed to create user data directory. errmsg: Permission denied

kirkland@x250:~⟫ sudo HOME= /snap/bin/docker run -it ubuntu bash
root@cb0a9845a6fe:/#

Revision history for this message
Michael Vogt (mvo) wrote :

This is fixed in xenial-updates

Changed in snappy:
status: Triaged → Fix Released
Changed in ubuntu-core-launcher (Ubuntu Xenial):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.