AppArmor

inconsistent required directory rules needed with overlayfs

Bug #1703674 reported by Jamie Strandboge on 2017-07-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

With only rules for the merged directory, I see the following denial when trying to do a directory listing on merged:

Jul 11 15:15:56 sec-xenial-amd64 kernel: audit: type=1400 audit(1499804156.009:72): apparmor="DENIED" operation="open" profile="test-profile" name="/tmp/tmp.4W0mxmOnDg/mnt/upper/" pid=2406 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This can be solved with (note you need both since after allowing upper you see a denial for lower):
/lower/{,**/} r,
/upper/{,**/} r,

Curiously, file rules are not needed and you can read files in merged without lower or upper rules.

Reproducer:
$ tar -zxvf ./overlay-requires-rules-for-lower-and-upper-with-dir-listing.tar.gz && sudo ./overlay-requires-rules-for-lower-and-upper-with-dir-listing/drv
overlay-requires-rules-for-lower-and-upper-with-dir-listing/
overlay-requires-rules-for-lower-and-upper-with-dir-listing/p.in
overlay-requires-rules-for-lower-and-upper-with-dir-listing/overlay.c
overlay-requires-rules-for-lower-and-upper-with-dir-listing/drv
overlay-requires-rules-for-lower-and-upper-with-dir-listing/tst
Created tmpdir '/tmp/tmp.4W0mxmOnDg'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.4W0mxmOnDg/data/p

chdir(/tmp/tmp.4W0mxmOnDg/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.4W0mxmOnDg/mnt/lower
- mkdir /tmp/tmp.4W0mxmOnDg/mnt/upper
- mkdir /tmp/tmp.4W0mxmOnDg/mnt/work
- mkdir /tmp/tmp.4W0mxmOnDg/mnt/merged

Populating /tmp/tmp.4W0mxmOnDg/mnt/lower
- /tmp/tmp.4W0mxmOnDg/mnt/lower/test-lower

Populating /tmp/tmp.4W0mxmOnDg/mnt/upper
- /tmp/tmp.4W0mxmOnDg/mnt/upper/test-upper

Perform the overlay
lower=/tmp/tmp.4W0mxmOnDg/mnt/lower
upper=/tmp/tmp.4W0mxmOnDg/mnt/upper
work=/tmp/tmp.4W0mxmOnDg/mnt/work
where=/tmp/tmp.4W0mxmOnDg/mnt/merged
exe=/tmp/tmp.4W0mxmOnDg/data/tst
- mount('overlay', '/tmp/tmp.4W0mxmOnDg/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/tmp/tmp.4W0mxmOnDg/mnt/lower,upperdir=/tmp/tmp.4W0mxmOnDg/mnt/upper,workdir=/tmp/tmp.4W0mxmOnDg/mnt/work
- success
starting '/tmp/tmp.4W0mxmOnDg/data/tst'

Testing files in overlay
- test read file from lower
- test read file from upper
- test list dir on ./merged
ls: cannot open directory './merged': Permission denied
FAIL: could not read from ./merged/test-upper

Cleaning up
- umount /tmp/tmp.4W0mxmOnDg/mnt/merged
- rm -rf /tmp/tmp.4W0mxmOnDg

Tags:

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-07-11:

overlay-requires-rules-for-lower-and-upper-with-dir-listing.tar.gz Edit (3.0 KiB, application/x-tar)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2018-02-16:

With 4.13.0-32.35-generic in 18.04 (via livecd), it seems that only this is needed:

/upper/{,**/} r,

AFAICT, /upper/ is not accessible to the process (ls /upper/ or ls /upper/foo) so the rule doesn't seem to be abusable. It would be nice if we didn't need this rule of course.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

overlay-requires-rules-for-lower-and-upper-with-dir-listing.tar.gz Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.