[Apparmor-general] What does this audit log entry mean?

John Johansen jjohansen at suse.de
Sun Feb 1 23:49:47 MST 2009 

Christian Boltz wrote:
> Hello,
> 
> I / logdigest found the following entries in audit.log. What do they 
> mean / what can cause them?
> 
> type=APPARMOR_ALLOWED msg=audit(1233365168.452:270): 
> operation="inode_permission" info="Failed name resolution - object not 
> a valid entry" error=-2 requested_mask="w::" denied_mask="w::" fsuid=30 
> pid=31893 profile="/usr/sbin/httpd2-prefork//vhost_foobar"
> 
> type=APPARMOR_ALLOWED msg=audit(1233365168.452:271): operation="setattr" 
> info="Failed name resolution - object not a valid entry" error=-2 
> requested_mask="w::" denied_mask="w::" fsuid=30 
> attribute="size,mtime,ctime," pid=31893 
> profile="/usr/sbin/httpd2-prefork//vhost_foobar"
> 
> (Both entries are unchanged except the vhost name - which was identical 
> in both lines.)
> 
> BTW: This is a server with openSUSE 11.0.
> 
> 
These messages can occur when there is an access attempt to an open file
object that no longer exists in the namespace.  This basically means
that the file doesn't have a valid name anymore so AppArmor can't
compute its name to determine access permissions.

This happens occassionally under linux and most of the time AppArmor
handles this by caching the access permissions for the profile on the
open file, but when an open file is removed from the namespace, and then
is accessed by a task under a different profile, AppArmor can't compute
the path name and can't revalidate the file, resulting in this message.

The removal of the file from the namespace can happen in a few different
ways:
-  file deleted but there is an open file that has access to it.
   AppArmor has a special case handling this, so it won't cause your
   problem.
-  name resolution fails because the pathname is too long.  If this were
   the case you would get an error=-12 (-ENOMEM).  If this happens, you
   can increase the maximum path length size by writing a byte value to
   /sys/modules/apparmor/parameters/path_max
-  the mount point becomes disconnected.  This can happen due to lazy
   unmounts, or changing or namespace roots.
   What happens here is a apparmor retrieves a partial path and then
   can't connect it so it fails with an error=-2 (-ENOENT).  It is
   unfortunate that AppArmor doesn't currently report the partial path
   as that would greatly aid in debugging what is happening.

This is a current deficiency in AppArmor and one that I hope to address
in AppArmor 3.  Exactly how is best to deal with this hasn't been
decided and I was planning on sending out a mail to apparmor-dev about it.

john

More information about the Apparmor-general mailing list