On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault <sthiba...@debian.org> wrote:
> Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> > So this turns out to be a documentation bug.  The execve man page should 
> > mention that EACCESS can result as an (unforeseen) apparmor impediment.
> 
> Well, basically all system calls would then need this...


Yeah, likely.  How many man pages have snippets like "[...] denied for one of 
the directories in the path [...]"?

Yet, considering the following examples, they seem to have been written 
manually rather than resorting to some sort of script:


       EACCES The requested access to the file is not allowed, or search 
permission is denied for one of the directories in the  path
              prefix  of  pathname, or the file did not exist yet and write 
access to the parent directory is not allowed.  (See also
              path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix of 
filename or the name of a  script  interpreter.   (See
              also path_resolution(7).)

       EACCES Write access to the directory containing newpath is denied, or 
search permission is denied for one of  the  directories
              in the path prefix of oldpath or newpath.  (See also 
path_resolution(7).)

       EACCES Search permission is denied for a component of the path prefix, 
or the named file is not writable by  the  user.
              (See also path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix.  
(See also path_resolution(7).)


Philip Couling commented that the man page /could/ mention security extensions 
since they are prevelent. See:
https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529

For execve, for example, one could add that permissions are not derived from 
file flags only.  For example:

OLD:

       EACCES Execute permission is denied for the file or a script or ELF 
interpreter.

NEW:

       EACCES Execute permission for the file or a script or ELF interpreter is 
denied either by flags or by security modules.


Would that be correct?  Do all "DENIED" operations result in EACCES?  And what 
do other security modules do?  Hmm...  Starting to document that mess from the 
point of view of programs getting such failure codes would allow better logging 
and better troubleshooting.


Best
Ale

Reply via email to