scoperunner tries to access /proc/*/attr/current, denied by apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
While testing an aggregator scope I encountered some "leaf" scopes which were not returning results. Checking syslog I found some strange apparmor denials where the scope runner was trying to access /proc/*
Sep 8 11:22:10 ubuntu-phablet kernel: [ 1172.643613] type=1400 audit(141018973
ENIED" operation="open" profile=
637 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
...
Sep 8 11:22:11 ubuntu-phablet kernel: [ 1172.792552] type=1400 audit(141018973
ENIED" operation="open" profile=
=4675 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
I can find nothing in the code for the leaf scopes that tries to make these accesses.
Related branches
affects: | unity-scopes-api → unity-scopes-api (Ubuntu) |
affects: | unity-scopes-api (Ubuntu) → apparmor-easyprof-ubuntu (Ubuntu) |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → Low |
I strongly suspect that the apparmor entries are normal. During start-up, the scopes run time calls aa_getcon() to figure out whether a scope is confined or not. I suspect that this is what's causing these denials. In other words, they are most likely normal and unrelated to your problem.
Jamie, I don't know how aa_getcon() is implemented. Would you expect to see failures from /proc/< uid>/attr/ current? I know that reading that file returns the current profile, so I suspect aa_getcon() reads the /proc entry behind the scenes?
Scott, if your leaf scopes don't return results, I strongly suspect that something else isn't right, but I'm pretty sure that apparmor denials have nothing to do with this.