Ok, I spent quite a bit of time evaluating this and believe this bug can be closed, but other bugs open.
In looking at this I created https://code.launchpad.net/~jdstrand/+git /test-overlay (to build simply git clone, run 'snapcraft', install the snap and then run 'test-overlay' for instructions on how to test different things). For this bug, the test code was broken and it didn't pivot_root. I'm not sure if it did pivot_root back when this was filed (I didn't check). The use of attach_disconnected is required because upperdir (man 8 mount, look for overlay) is disconnected. Once attach_disconnected is present, all file paths are mediatable: - when using just an overlay, the paths show up where you expect them to be in the filesystem - when using overlay plus chroot paths are mediatable but an alias rule is really needed to have worthwhile policy (otherwise you need to keep the inner-chroot policy and outer-system policy in sync). Also logged denials have the overlay mountpoint prefixed. This is consistent with how apparmor works with chroots - when using overlay plus private mount namespace plus pivot_root, no alias rule is required and logged path denials look like the system paths (ie, the overlay mountpoint is not prefixed) In all, closing this bug as Invalid. I'll be filing new bugs for various issues I found in my investigation. ** Changed in: linux (Ubuntu) Status: Triaged => Won't Fix ** Changed in: apparmor (Ubuntu) Status: Confirmed => Won't Fix ** Changed in: apparmor Status: In Progress => Invalid ** Changed in: apparmor (Ubuntu) Status: Won't Fix => Invalid ** Changed in: linux (Ubuntu) Status: Won't Fix => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1408106 Title: attach_disconnected not sufficient for overlayfs Status in AppArmor: Invalid Status in MAAS: Incomplete Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Invalid Bug description: With the following use of overlayfs, we get a disconnected path: $ cat ./profile #include <tunables/global> profile foo { #include <abstractions/base> capability sys_admin, capability sys_chroot, mount, pivot_root, } $ cat ./overlay.c #include <alloca.h> #include <linux/sched.h> #include <stdio.h> #include <string.h> #include <sys/mount.h> #include <fcntl.h> #include <unistd.h> int main(int argc, char* argv[]) { int i = 0; int len = 0; int ret = 0; char* options; if (geteuid()) unshare(CLONE_NEWUSER); unshare(CLONE_NEWNS); for (i = 1; i < argc; i++) { if (i == 1) { len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2; options = alloca(len); ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]); } else { len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2; options = alloca(len); ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]); } mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options); } chdir("/mnt"); pivot_root(".", "."); chroot("."); chdir("/"); execl("/bin/bash", "/bin/bash", NULL); } $ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp [255] ... Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward: 1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable. UPDATE: upstream is currently working on this and Ubuntu will engage with them 2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term 3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
