ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #00912
[Bug 359338] Re: klamav db download problem with encrypted home on jaunty
ecryptfs breaks Apparmor naming.
TEST CASE:
1. sudo apt-get install ecryptfs-utils
2. sudo adduser --encrypt-home foo
3. login as 'foo' and verify that encrypted home is correct:
$ df |grep '/home/foo/\.Private'
/home/foo/.Private 3936216 3313964 422304 89% /home/foo
4. Create the following file as /tmp/359338.sh:
#!/bin/sh
echo "Touching $HOME/test.txt"
touch $HOME/test.txt
5. chmod 755 /tmp/359338.sh
6. add the following to /etc/apparmor.d/tmp.359338.sh:
#include <tunables/global>
/tmp/359338.sh {
#include <abstractions/base>
/bin/dash rix,
/bin/touch rix,
/tmp/359338.sh r,
owner @{HOME}/test.txt rw,
}
7. reload apparmor:
$ sudo /etc/init.d/apparmor force-reload
8. run /tmp/359338.sh as non-foo user:
$ /tmp/359338.sh
Touching /home/jamie/test.txt
9. run /tmp/359338.sh as foo:
$ /tmp/359338.sh
Touching /home/foo/test.txt
touch: cannot touch `/home/foo/test.txt': Permission denied
dmesg should have something like:
Apr 13 16:45:53 sec-jaunty-amd64 kernel: [ 523.233018] type=1503 audit(1239651953.911:114): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1001 name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYwjom6xTTrhkQH6NYaDlNzbi4a-Y57kI1XsKcpAS2HNDa3p8fkshGrq---" pid=5038 profile="/tmp/359338.sh"
Apr 13 16:45:53 sec-jaunty-amd64 kernel: [ 523.233027] ecryptfs_do_create: Failure to create dentry in lower fs; rc = [-13]
Apr 13 16:45:53 sec-jaunty-amd64 kernel: [ 523.233045] ecryptfs_create: Failed to create file inlower filesystem
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Importance: Undecided => High
** Changed in: ecryptfs-utils (Ubuntu)
Status: New => Confirmed
** Changed in: ecryptfs-utils (Ubuntu)
Importance: Undecided => High
** Summary changed:
- klamav db download problem with encrypted home on jaunty
+ apparmor problem with encrypted home on jaunty
--
apparmor paths are broken when using encrypted home on jaunty
https://bugs.launchpad.net/bugs/359338
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.
Status in “ecryptfs-utils” source package in Ubuntu: Confirmed
Status in “linux” source package in Ubuntu: Confirmed
Bug description:
Binary package hint: ecryptfs-utils
klamav 0.46-2 with clamav 0.95.
Jaunty with encrypted home directory.
After installing klamav and first running it, it creates /home/user/.klamav/database, in which it downloads the signature databases. This directory gets created OK, but the database download fails with 'Can't create file' error, and the following entry in syslog:
Apr 11 01:11:39 utest-jj kernel: [ 959.044919] type=1503 audit(1239401499.961:33): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1000 name="/home/gimre/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9aW.rw0ebxHiizvzjKdHqek--/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9FGYc1fWwp9RQW-wdr8CQZU--/ECRYPTFS_FNEK_ENCRYPTED.FYYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9Pcj74.T8NOQNJ4OdUE2-.LWX5l6N.v2lDmBFyCvWlKqrrt-xoaiQuTGvsGqXcTCI" pid=5164 profile="/usr/bin/freshclam"
Apr 11 01:11:39 utest-jj kernel: [ 959.044937] ecryptfs_do_create: Failure to create dentry in lower fs; rc = [-13]
Apr 11 01:11:39 utest-jj kernel: [ 959.045149] ecryptfs_create: Failed to create file inlower filesystem
After stopping apparmor, the problem goes away, the database gets downloaded correctly.
Can be reproduced by correcting freshclam's apparmor profile, see the following bug:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/359301
References
