← Back to team overview

ecryptfs team mailing list archive

  1. ecryptfs team
  2. Mailing list archive
  3. Message #00934

[Bug 359338] Re: apparmor paths are broken when using encrypted home on jaunty

  Thread PreviousDate PreviousThread Next 
Release note added at
<https://wiki.ubuntu.com/JauntyJackalope/ReleaseNotes#Apparmor%20profiles%20incompatible%20with%20ecryptfs>:

  Apparmor profiles incompatible with ecryptfs

  When using encrypted home directories together with apparmor in
enforcing mode, apparmor will deny access to certain files unexpectedly
because the Linux kernel sees the process as accessing the file via both
the unencrypted and encrypted paths (359338). As a workaround, users can
modify their apparmor profiles under /etc/apparmor.d/ to grant
permissions to @{HOME}/.Private/**.


** Changed in: ubuntu-release-notes
       Status: New => Fix Released

-- 
apparmor paths are broken when using encrypted home on jaunty
https://bugs.launchpad.net/bugs/359338
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in Ubuntu Release Notes: Fix Released
Status in “ecryptfs-utils” source package in Ubuntu: Invalid
Status in “linux” source package in Ubuntu: Confirmed

Bug description:
Binary package hint: ecryptfs-utils

klamav 0.46-2 with clamav 0.95.
Jaunty with encrypted home directory.

After installing klamav and first running it, it creates /home/user/.klamav/database, in which it downloads the signature databases. This directory gets created OK, but the database download fails with 'Can't create file' error, and the following entry in syslog:

Apr 11 01:11:39 utest-jj kernel: [  959.044919] type=1503 audit(1239401499.961:33): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1000 name="/home/gimre/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9aW.rw0ebxHiizvzjKdHqek--/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9FGYc1fWwp9RQW-wdr8CQZU--/ECRYPTFS_FNEK_ENCRYPTED.FYYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9Pcj74.T8NOQNJ4OdUE2-.LWX5l6N.v2lDmBFyCvWlKqrrt-xoaiQuTGvsGqXcTCI" pid=5164 profile="/usr/bin/freshclam"
Apr 11 01:11:39 utest-jj kernel: [  959.044937] ecryptfs_do_create: Failure to create dentry in lower fs; rc = [-13]
Apr 11 01:11:39 utest-jj kernel: [  959.045149] ecryptfs_create: Failed to create file inlower filesystem

After stopping apparmor, the problem goes away, the database gets downloaded correctly.

Can be reproduced by correcting freshclam's apparmor profile, see the following bug:

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/359301

References

  Thread PreviousDate PreviousThread Next