AppArmor

  1. Bug #1703835
  2. Activity log

Activity log for bug #1703835

Date Who What changed Old value New value Message
2017-07-12 13:36:07 Jamie Strandboge bug added bug
2017-07-12 13:36:07 Jamie Strandboge attachment added overlay-with-chroot-touch-needs-dac-override.tar.gz https://bugs.launchpad.net/bugs/1703835/+attachment/4913449/+files/overlay-with-chroot-touch-needs-dac-override.tar.gz
2017-07-12 20:00:55 Jamie Strandboge description With rules like the following: @{TESTDIR}="/tmp/tmp.C2pr86sOTh/data" @{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt" alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/, profile test-profile (attach_disconnected) { ... # for the test script @{TOPDIR}/scratch/ r, @{TOPDIR}/scratch/** rwklix, ... # required for 'touch @{TOPDIR}/scratch/foo' #capability dac_override, } and setting up up an overlay with lower as '/', merged on TOPDIR and chroot to TOPDIR, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root: Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override" Reproducer: $ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/ overlay-with-chroot-touch-needs-dac-override/p.in overlay-with-chroot-touch-needs-dac-override/overlay.c overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/tst Created tmpdir '/tmp/tmp.m1WGc0lMSv' Ubuntu 4.4.0-83.106-generic 4.4.70 Disabling kernel rate-limiting kernel.printk_ratelimit = 0 Loading /tmp/tmp.m1WGc0lMSv/data/p chdir(/tmp/tmp.m1WGc0lMSv/data/mnt) Creating the overlay directories - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower - /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper - /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch Perform the overlay lower=/ upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper work=/tmp/tmp.m1WGc0lMSv/data/mnt/work where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged exe=/tmp/tmp.m1WGc0lMSv/data/tst - mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work - success - chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged') - success - chroot('.') - success starting '/tmp/tmp.m1WGc0lMSv/data/tst' list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch: total 0 Touch file - touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch Cleaning up - umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged - rm -rf /tmp/tmp.m1WGc0lMSv Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. With rules like the following: @{TESTDIR}="/tmp/tmp.C2pr86sOTh/data" @{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt" alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/, profile test-profile (attach_disconnected) { ...   # for the test script   @{TOPDIR}/scratch/ r,   @{TOPDIR}/scratch/** rwklix, ...   # required for 'touch @{TOPDIR}/scratch/foo'   #capability dac_override, } and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root: Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override" Reproducer: $ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/ overlay-with-chroot-touch-needs-dac-override/p.in overlay-with-chroot-touch-needs-dac-override/overlay.c overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/tst Created tmpdir '/tmp/tmp.m1WGc0lMSv' Ubuntu 4.4.0-83.106-generic 4.4.70 Disabling kernel rate-limiting kernel.printk_ratelimit = 0 Loading /tmp/tmp.m1WGc0lMSv/data/p chdir(/tmp/tmp.m1WGc0lMSv/data/mnt) Creating the overlay directories - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower - /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper - /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch Perform the overlay lower=/ upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper work=/tmp/tmp.m1WGc0lMSv/data/mnt/work where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged exe=/tmp/tmp.m1WGc0lMSv/data/tst - mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work  - success - chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')  - success - chroot('.')  - success starting '/tmp/tmp.m1WGc0lMSv/data/tst' list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch: total 0 Touch file - touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch Cleaning up - umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged - rm -rf /tmp/tmp.m1WGc0lMSv Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.
2017-07-12 20:13:39 Jamie Strandboge description With rules like the following: @{TESTDIR}="/tmp/tmp.C2pr86sOTh/data" @{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt" alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/, profile test-profile (attach_disconnected) { ...   # for the test script   @{TOPDIR}/scratch/ r,   @{TOPDIR}/scratch/** rwklix, ...   # required for 'touch @{TOPDIR}/scratch/foo'   #capability dac_override, } and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root: Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override" Reproducer: $ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/ overlay-with-chroot-touch-needs-dac-override/p.in overlay-with-chroot-touch-needs-dac-override/overlay.c overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/tst Created tmpdir '/tmp/tmp.m1WGc0lMSv' Ubuntu 4.4.0-83.106-generic 4.4.70 Disabling kernel rate-limiting kernel.printk_ratelimit = 0 Loading /tmp/tmp.m1WGc0lMSv/data/p chdir(/tmp/tmp.m1WGc0lMSv/data/mnt) Creating the overlay directories - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower - /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper - /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch Perform the overlay lower=/ upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper work=/tmp/tmp.m1WGc0lMSv/data/mnt/work where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged exe=/tmp/tmp.m1WGc0lMSv/data/tst - mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work  - success - chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')  - success - chroot('.')  - success starting '/tmp/tmp.m1WGc0lMSv/data/tst' list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch: total 0 Touch file - touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch Cleaning up - umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged - rm -rf /tmp/tmp.m1WGc0lMSv Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. With rules like the following: @{TESTDIR}="/tmp/tmp.C2pr86sOTh/data" @{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt" alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/, profile test-profile (attach_disconnected) { ...   # for the test script   @{TOPDIR}/scratch/ r,   @{TOPDIR}/scratch/** rwklix, ...   # required for 'touch @{TOPDIR}/scratch/foo'   #capability dac_override, } and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root: Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override" Reproducer: $ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/ overlay-with-chroot-touch-needs-dac-override/p.in overlay-with-chroot-touch-needs-dac-override/overlay.c overlay-with-chroot-touch-needs-dac-override/drv overlay-with-chroot-touch-needs-dac-override/tst Created tmpdir '/tmp/tmp.m1WGc0lMSv' Ubuntu 4.4.0-83.106-generic 4.4.70 Disabling kernel rate-limiting kernel.printk_ratelimit = 0 Loading /tmp/tmp.m1WGc0lMSv/data/p chdir(/tmp/tmp.m1WGc0lMSv/data/mnt) Creating the overlay directories - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work - mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower - /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper - /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch Perform the overlay lower=/ upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper work=/tmp/tmp.m1WGc0lMSv/data/mnt/work where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged exe=/tmp/tmp.m1WGc0lMSv/data/tst - mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work  - success - chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')  - success - chroot('.')  - success starting '/tmp/tmp.m1WGc0lMSv/data/tst' list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch - ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch: total 0 Touch file - touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch Cleaning up - umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged - rm -rf /tmp/tmp.m1WGc0lMSv Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. I'm not sure if this is a duplicate or related to bug #1703974.