On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault <sthibault@???> wrote:
> Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> > So this turns out to be a documentation bug. The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.
>
> Well, basically all system calls would then need this...
Yeah, likely. How many man pages have snippets like "[...] denied for one of the directories in the path [...]"?
Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script:
EACCES The requested access to the file is not allowed, or search permission is denied for one of the directories in the path
prefix of pathname, or the file did not exist yet and write access to the parent directory is not allowed. (See also
path_resolution(7).)
EACCES Search permission is denied on a component of the path prefix of filename or the name of a script interpreter. (See
also path_resolution(7).)
EACCES Write access to the directory containing newpath is denied, or search permission is denied for one of the directories
in the path prefix of oldpath or newpath. (See also path_resolution(7).)
EACCES Search permission is denied for a component of the path prefix, or the named file is not writable by the user.
(See also path_resolution(7).)
EACCES Search permission is denied on a component of the path prefix. (See also path_resolution(7).)
Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See:
https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529
For execve, for example, one could add that permissions are not derived from file flags only. For example:
OLD:
EACCES Execute permission is denied for the file or a script or ELF interpreter.
NEW:
EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules.
Would that be correct? Do all "DENIED" operations result in EACCES? And what do other security modules do? Hmm... Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting.
Best
Ale