2012-03-15 11:09:50 |
Felix Geyer |
bug |
|
|
added bug |
2012-04-04 20:51:20 |
John Johansen |
apparmor (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2012-04-04 20:51:30 |
John Johansen |
apparmor (Ubuntu): status |
New |
Confirmed |
|
2012-05-22 15:44:52 |
John Johansen |
description |
AppArmor denies access to files with a path length > 255 characters with the error message "Failed name lookup - disconnected path".
Example log entry:
Mar 15 11:43:45 felix-desktop kernel: [ 6051.608954] type=1400 audit(1331808225.843:4896): apparmor="DENIED" operation="mknod" info="Failed name lookup - disconnected path" error=-116 parent=24422 profile="/usr/bin/lintian" name="temp-lintian-lab-xpvh_Pjhrm/pool/v/virtualbox/virtualbox_4.1.10-dfsg-1_source/virtualbox_4.1.10-dfsg.orig.tar.bz2.tmp-extract.5399h/virtualbox-4.1.10-dfsg/src/VBox/Devices/EFI/Firmware2/VBoxPkg/Library/VBoxOemHookStatusCodeLib/VBoxOemHookStatusCodeLib.c" pid=24433 comm="tar" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
It seems to omit the mount point in the path name (/tmp/).
The path_max parameter is much larger:
% sudo cat /sys/module/apparmor/parameters/path_max
8192
% uname -a
Linux felix-desktop 3.2.0-18-generic #29-Ubuntu SMP Fri Mar 9 21:36:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
% dpkg -l | grep apparmor
ii apparmor 2.7.100-0ubuntu1 User-space parser utility for AppArmor
ii apparmor-notify 2.7.100-0ubuntu1 AppArmor notification system
ii apparmor-utils 2.7.100-0ubuntu1 Utilities for controlling AppArmor
ii dh-apparmor 2.7.100-0ubuntu1 AppArmor debhelper routines
ii libapparmor-perl 2.7.100-0ubuntu1 AppArmor library Perl bindings
ii libapparmor1 2.7.100-0ubuntu1 changehat AppArmor library |
== Precise SRU Justification ==
This bug causes access failures when apparmor is mediating files with long pathnames. This problem is easy to trip when a confined application tries to access data encrypted with ecryptfs, but can occur on any filesystem.
== Fix ==
Commit cffee16e8b997ab947de661e8820e486b0830c94 from security/next queue for 3.5 kernel fixes the issue
== Impact ==
Users/application/daemons can not access the affected files while confined, which can result in application failures, users unable to access data, and confusion as the error message reported by the shell is "Cannot open: Stale NFS file handle", whether or not NFS is in use.
== Test Case ==
Run tests in from the updated apparmor regression test suite in qrt.
or manually
create a confined shell
mount encryptfs, with file name obfuscation enabled
from an unconfined shell created a 4 deep directory structure within the ecryptfs mount
create a file in the deepest directory
attempt to access the file from the confined shell
AppArmor denies access to files with a path length > 255 characters with the error message "Failed name lookup - disconnected path".
Example log entry:
Mar 15 11:43:45 felix-desktop kernel: [ 6051.608954] type=1400 audit(1331808225.843:4896): apparmor="DENIED" operation="mknod" info="Failed name lookup - disconnected path" error=-116 parent=24422 profile="/usr/bin/lintian" name="temp-lintian-lab-xpvh_Pjhrm/pool/v/virtualbox/virtualbox_4.1.10-dfsg-1_source/virtualbox_4.1.10-dfsg.orig.tar.bz2.tmp-extract.5399h/virtualbox-4.1.10-dfsg/src/VBox/Devices/EFI/Firmware2/VBoxPkg/Library/VBoxOemHookStatusCodeLib/VBoxOemHookStatusCodeLib.c" pid=24433 comm="tar" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
It seems to omit the mount point in the path name (/tmp/).
The path_max parameter is much larger:
% sudo cat /sys/module/apparmor/parameters/path_max
8192
% uname -a
Linux felix-desktop 3.2.0-18-generic #29-Ubuntu SMP Fri Mar 9 21:36:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
% dpkg -l | grep apparmor
ii apparmor 2.7.100-0ubuntu1 User-space parser utility for AppArmor
ii apparmor-notify 2.7.100-0ubuntu1 AppArmor notification system
ii apparmor-utils 2.7.100-0ubuntu1 Utilities for controlling AppArmor
ii dh-apparmor 2.7.100-0ubuntu1 AppArmor debhelper routines
ii libapparmor-perl 2.7.100-0ubuntu1 AppArmor library Perl bindings
ii libapparmor1 2.7.100-0ubuntu1 changehat AppArmor library |
|
2012-05-22 15:54:27 |
John Johansen |
bug task added |
|
linux (Ubuntu) |
|
2012-05-22 15:54:41 |
John Johansen |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 15:56:20 |
John Johansen |
apparmor (Ubuntu): status |
Confirmed |
In Progress |
|
2012-05-22 15:56:26 |
John Johansen |
linux (Ubuntu): status |
New |
In Progress |
|
2012-05-22 15:57:48 |
John Johansen |
nominated for series |
|
Ubuntu Precise |
|
2012-05-22 15:57:48 |
John Johansen |
bug task added |
|
apparmor (Ubuntu Precise) |
|
2012-05-22 15:57:48 |
John Johansen |
bug task added |
|
linux (Ubuntu Precise) |
|
2012-05-22 15:57:48 |
John Johansen |
nominated for series |
|
Ubuntu Quantal |
|
2012-05-22 15:57:48 |
John Johansen |
bug task added |
|
apparmor (Ubuntu Quantal) |
|
2012-05-22 15:57:48 |
John Johansen |
bug task added |
|
linux (Ubuntu Quantal) |
|
2012-05-22 15:58:06 |
John Johansen |
linux (Ubuntu Precise): status |
New |
In Progress |
|
2012-05-22 15:58:14 |
John Johansen |
linux (Ubuntu Precise): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 15:58:18 |
John Johansen |
apparmor (Ubuntu Precise): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 16:17:03 |
Tim Gardner |
linux (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2012-05-26 01:40:14 |
Launchpad Janitor |
linux (Ubuntu Quantal): status |
In Progress |
Fix Released |
|
2012-05-28 09:36:01 |
Luis Henriques |
tags |
|
verification-needed-precise |
|
2012-05-29 09:04:31 |
Felix Geyer |
tags |
verification-needed-precise |
verification-done-precise |
|
2012-06-01 15:42:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-ti-omap4 |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
linux (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
cve linked |
|
2012-2133 |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
cve linked |
|
2012-2313 |
|
2012-06-22 18:37:12 |
Launchpad Janitor |
apparmor (Ubuntu Precise): status |
New |
Confirmed |
|
2012-06-25 20:24:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-armadaxp |
|
2012-07-05 19:43:09 |
Marc Deslauriers |
apparmor (Ubuntu Precise): status |
Confirmed |
Invalid |
|
2012-07-05 19:43:12 |
Marc Deslauriers |
apparmor (Ubuntu Quantal): status |
In Progress |
Invalid |
|
2012-11-14 21:30:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-lowlatency |
|