ecryptfs team mailing list archive

Thread
Date

[Bug 359338] Re: apparmor paths are broken when using ecryptfs

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Mon, 31 Aug 2009 21:43:30 -0000
Reply-to: Bug 359338 <359338@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is still an issue for Jaunty, but users can add the following to /etc/apparmor.d/abstractions/base to work around the problem:
  # encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

You'll need to reload apparmor before this is in effect. Note that this
is a temporary workaround until upstream handles stacked filesystems
generally.

** Summary changed:

- apparmor paths are broken when using ecryptfs on jaunty
+ apparmor paths are broken when using ecryptfs

-- 
apparmor paths are broken when using ecryptfs
https://bugs.launchpad.net/bugs/359338
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in Ubuntu Release Notes: Fix Released
Status in “apparmor” package in Ubuntu: Fix Released
Status in “ecryptfs-utils” package in Ubuntu: Invalid
Status in apparmor in Ubuntu Karmic: Fix Released
Status in ecryptfs-utils in Ubuntu Karmic: Invalid

Bug description:
Binary package hint: ecryptfs-utils

klamav 0.46-2 with clamav 0.95.
Jaunty with encrypted home directory.

After installing klamav and first running it, it creates /home/user/.klamav/database, in which it downloads the signature databases. This directory gets created OK, but the database download fails with 'Can't create file' error, and the following entry in syslog:

Apr 11 01:11:39 utest-jj kernel: [  959.044919] type=1503 audit(1239401499.961:33): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1000 name="/home/gimre/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9aW.rw0ebxHiizvzjKdHqek--/ECRYPTFS_FNEK_ENCRYPTED.FWYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9FGYc1fWwp9RQW-wdr8CQZU--/ECRYPTFS_FNEK_ENCRYPTED.FYYWbBX-HCv7D-ShpT0P1qAlMITxm.e31aS9Pcj74.T8NOQNJ4OdUE2-.LWX5l6N.v2lDmBFyCvWlKqrrt-xoaiQuTGvsGqXcTCI" pid=5164 profile="/usr/bin/freshclam"
Apr 11 01:11:39 utest-jj kernel: [  959.044937] ecryptfs_do_create: Failure to create dentry in lower fs; rc = [-13]
Apr 11 01:11:39 utest-jj kernel: [  959.045149] ecryptfs_create: Failed to create file inlower filesystem

After stopping apparmor, the problem goes away, the database gets downloaded correctly.

Can be reproduced by correcting freshclam's apparmor profile, see the following bug:

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/359301

References

[Bug 359338] [NEW] klamav db download problem with encrypted home on jaunty
From: Imre Gergely, 2009-04-10