[apparmor] How to setup apparmor for calling an executable from another executable with a profile

Germán Diago Gómez germandiago at gmail.com
Wed May 30 06:44:27 UTC 2018 

> If you check your audit logs or dmesg you will find an AppArmor DENIED
> line with full details about the denied request. Once you've got those,
> then it'll be easier to make concrete suggestions for changes.
>
> Thanks
I found a couple of problems. First one being that clang++ (which I am 
invoking) is a link, so I checked and finally discovered that 
/usr/bin/clang++ has a link and that link another link. The final 
executable invoked is /usr/lib/llvm-6.0/bin/clang, so in my profile I 
have something like this in an attemp to let clang do its whole work:

/usr/lib/llvm-6.0/bin/clang ix,
/etc/lsb-release r,
/var/lib/docker/** r,
/tmp/** rw,

Now when I enter the container and invoke "/usr/bin/clang++" the 
executable is invoked. I am trying to compile through the executable 
some file and I still get some error. dmesg output in host system when 
trying to access is:

audit: type=1400 audit(1527662185.487:873): apparmor="DENIED" 
operation="open" info="Failed name lookup - disconnected path" error=-13 
profile="tpi-service-apparmor-new" 
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" 
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
[521494.714287] audit: type=1400 audit(1527662185.487:874): 
apparmor="DENIED" operation="open" info="Failed name lookup - 
disconnected path" error=-13 profile="tpi-service-apparmor-new" 
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" 
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
[521494.716117] audit: type=1400 audit(1527662185.491:875): 
apparmor="DENIED" operation="open" info="Failed name lookup - 
disconnected path" error=-13 profile="tpi-service-apparmor-new" 
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" 
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
[521494.716335] audit: type=1400 audit(1527662185.491:876): 
apparmor="DENIED" operation="open" info="Failed name lookup - 
disconnected path" error=-13 profile="tpi-service-apparmor-new" 
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" 
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0


Not sure how to fix this. It says some access problem when accessing the 
docker overlay... but I cannot give a var/lib... path, I need an 
absolute path here or apparmor
will not parse the file.

Any ideas of how to suppress this problem? I think that after this 
everything should be fine.

Thanks all for your time!

More information about the AppArmor mailing list