** Also affects: maas
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in MAAS:
New
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include <tunables/global>
profile foo {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
