ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #00934
[Bug 359338] Re: apparmor paths are broken when using encrypted home on jaunty
Release note added at
<https://wiki.ubuntu.com/JauntyJackalope/ReleaseNotes#Apparmor%20profiles%20incompatible%20with%20ecryptfs>:
Apparmor profiles incompatible with ecryptfs
When using encrypted home directories together with apparmor in
enforcing mode, apparmor will deny access to certain files unexpectedly
because the Linux kernel sees the process as accessing the file via both
the unencrypted and encrypted paths (359338). As a workaround, users can
modify their apparmor profiles under /etc/apparmor.d/ to grant
permissions to @{HOME}/.Private/**.
** Changed in: ubuntu-release-notes
Status: New => Fix Released
--
apparmor paths are broken when using encrypted home on jaunty
https://bugs.launchpad.net/bugs/359338
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.
Status in Ubuntu Release Notes: Fix Released
Status in “ecryptfs-utils” source package in Ubuntu: Invalid
Status in “linux” source package in Ubuntu: Confirmed
Bug description:
Binary package hint: ecryptfs-utils
klamav 0.46-2 with clamav 0.95.
Jaunty with encrypted home directory.
After installing klamav and first running it, it creates /home/user/.klamav/database, in which it downloads the signature databases. This directory gets created OK, but the database download fails with 'Can't create file' error, and the following entry in syslog:
Apr 11 01:11:39 utest-jj kernel: [ 959.044919] type=1503 audit(1239401499.961:33): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1000 name="/home/gimre/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9aW.rw0ebxHiizvzjKdHqek--/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9FGYc1fWwp9RQW-wdr8CQZU--/ECRYPTFS_FNEK_ENCRYPTED.FYYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9Pcj74.T8NOQNJ4OdUE2-.LWX5l6N.v2lDmBFyCvWlKqrrt-xoaiQuTGvsGqXcTCI" pid=5164 profile="/usr/bin/freshclam"
Apr 11 01:11:39 utest-jj kernel: [ 959.044937] ecryptfs_do_create: Failure to create dentry in lower fs; rc = [-13]
Apr 11 01:11:39 utest-jj kernel: [ 959.045149] ecryptfs_create: Failed to create file inlower filesystem
After stopping apparmor, the problem goes away, the database gets downloaded correctly.
Can be reproduced by correcting freshclam's apparmor profile, see the following bug:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/359301
References