apparmor.d icon indicating copy to clipboard operation
apparmor.d copied to clipboard
verified publisher icon roddhjav

gdm-session-worker couldn't decrypt files via fscrypt

Open EricLin0509 opened this issue 1 year ago • 2 comments

I'm using fscrypt and make it automatically decrypt files when the user login, but this not work when apparmor set to enforce mode unless set to complain mode. Here is the log:

apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/etc/fscrypt.conf" comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root" apparmor="DENIED" operation="mkdir" class="file" profile="gdm-session-worker" name="/run/fscrypt/" comm="gdm-session-wor" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 FSUID="root" OUID="root"

EricLin0509 avatar Jul 26 '24 16:07 EricLin0509

Please move the profiles to complain mode while you are testing them. Otherwise, apparmor blocks program on the first issue and you won't be able to see any following logs.

roddhjav avatar Jul 27 '24 09:07 roddhjav

More info:

apparmor="DENIED" operation="mkdir" class="file" profile="gdm-session-worker" name="/run/fscrypt/"  comm="gdm-session-wor" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 FSUID="root" OUID="root"
apparmor="DENIED" operation="mknod" class="file" profile="gdm-session-worker" name="/run/fscrypt/1000.count"  comm="gdm-session-wor" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 FSUID="root" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/run/fscrypt/1000.count"  comm="gdm-session-wor" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0 FSUID="root" OUID="root"
apparmor="DENIED" operation="file_lock" class="file" profile="gdm-session-worker" name="/run/fscrypt/1000.count"  comm="gdm-session-wor" requested_mask="wk" denied_mask="wk" fsuid=0 ouid=0 FSUID="root" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/etc/fscrypt.conf"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/proc/3386/mountinfo"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/.fscrypt/protectors/"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/.fscrypt/protectors/4cc39ec088ebd2ce"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/.fscrypt/policies/"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/.fscrypt/protectors/4cc39ec088ebd2ce.link"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/.fscrypt/policies/"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/.fscrypt/policies/e70de550651a7c1249839a38f51a208a"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/.fscrypt/policies/3cd2826a6f56e1042e6f8c5257de01eb"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin"
apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/proc/8530/mountinfo"  comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"
apparmor="DENIED" operation="open" class="file" profile="gsd-datetime" name="/proc/8816/fdinfo/8"  comm="gsd-datetime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin"

EricLin0509 avatar Jul 28 '24 08:07 EricLin0509

This should be fixed now.

Note: I have asked you multiple time to switch in complain mode without effect on your side... I may not ask again.

roddhjav avatar Aug 20 '24 18:08 roddhjav

But the fscrypt still not work. I found one more log:

apparmor="DENIED" operation="open" class="file" profile="gdm-session-worker" name="/home/.fscrypt/policies/" comm="gdm-session-wor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root"

EricLin0509 avatar Aug 21 '24 02:08 EricLin0509

Really?

Please move the profiles to complain mode while you are testing them. Otherwise, apparmor blocks program on the first issue and you won't be able to see any following logs.

roddhjav avatar Aug 21 '24 09:08 roddhjav

OK, it fixed!

EricLin0509 avatar Aug 21 '24 10:08 EricLin0509