2017-07-12 13:36:07 |
Jamie Strandboge |
bug |
|
|
added bug |
2017-07-12 13:36:07 |
Jamie Strandboge |
attachment added |
|
overlay-with-chroot-touch-needs-dac-override.tar.gz https://bugs.launchpad.net/bugs/1703835/+attachment/4913449/+files/overlay-with-chroot-touch-needs-dac-override.tar.gz |
|
2017-07-12 20:00:55 |
Jamie Strandboge |
description |
With rules like the following:
@{TESTDIR}="/tmp/tmp.C2pr86sOTh/data"
@{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt"
alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/,
profile test-profile (attach_disconnected) {
...
# for the test script
@{TOPDIR}/scratch/ r,
@{TOPDIR}/scratch/** rwklix,
...
# required for 'touch @{TOPDIR}/scratch/foo'
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR and chroot to TOPDIR, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override"
Reproducer:
$ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/
overlay-with-chroot-touch-needs-dac-override/p.in
overlay-with-chroot-touch-needs-dac-override/overlay.c
overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.m1WGc0lMSv'
Ubuntu 4.4.0-83.106-generic 4.4.70
Disabling kernel rate-limiting
kernel.printk_ratelimit = 0
Loading /tmp/tmp.m1WGc0lMSv/data/p
chdir(/tmp/tmp.m1WGc0lMSv/data/mnt)
Creating the overlay directories
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper
Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
Perform the overlay
lower=/
upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper
work=/tmp/tmp.m1WGc0lMSv/data/mnt/work
where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged
exe=/tmp/tmp.m1WGc0lMSv/data/tst
- mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work
- success
- chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')
- success
- chroot('.')
- success
starting '/tmp/tmp.m1WGc0lMSv/data/tst'
list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
/tmp/tmp.m1WGc0lMSv/data/mnt/scratch:
total 0
Touch file
- touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
Cleaning up
- umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. |
With rules like the following:
@{TESTDIR}="/tmp/tmp.C2pr86sOTh/data"
@{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt"
alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/,
profile test-profile (attach_disconnected) {
...
# for the test script
@{TOPDIR}/scratch/ r,
@{TOPDIR}/scratch/** rwklix,
...
# required for 'touch @{TOPDIR}/scratch/foo'
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override"
Reproducer:
$ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/
overlay-with-chroot-touch-needs-dac-override/p.in
overlay-with-chroot-touch-needs-dac-override/overlay.c
overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.m1WGc0lMSv'
Ubuntu 4.4.0-83.106-generic 4.4.70
Disabling kernel rate-limiting
kernel.printk_ratelimit = 0
Loading /tmp/tmp.m1WGc0lMSv/data/p
chdir(/tmp/tmp.m1WGc0lMSv/data/mnt)
Creating the overlay directories
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper
Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
Perform the overlay
lower=/
upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper
work=/tmp/tmp.m1WGc0lMSv/data/mnt/work
where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged
exe=/tmp/tmp.m1WGc0lMSv/data/tst
- mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work
- success
- chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')
- success
- chroot('.')
- success
starting '/tmp/tmp.m1WGc0lMSv/data/tst'
list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
/tmp/tmp.m1WGc0lMSv/data/mnt/scratch:
total 0
Touch file
- touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
Cleaning up
- umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. |
|
2017-07-12 20:13:39 |
Jamie Strandboge |
description |
With rules like the following:
@{TESTDIR}="/tmp/tmp.C2pr86sOTh/data"
@{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt"
alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/,
profile test-profile (attach_disconnected) {
...
# for the test script
@{TOPDIR}/scratch/ r,
@{TOPDIR}/scratch/** rwklix,
...
# required for 'touch @{TOPDIR}/scratch/foo'
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override"
Reproducer:
$ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/
overlay-with-chroot-touch-needs-dac-override/p.in
overlay-with-chroot-touch-needs-dac-override/overlay.c
overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.m1WGc0lMSv'
Ubuntu 4.4.0-83.106-generic 4.4.70
Disabling kernel rate-limiting
kernel.printk_ratelimit = 0
Loading /tmp/tmp.m1WGc0lMSv/data/p
chdir(/tmp/tmp.m1WGc0lMSv/data/mnt)
Creating the overlay directories
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper
Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
Perform the overlay
lower=/
upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper
work=/tmp/tmp.m1WGc0lMSv/data/mnt/work
where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged
exe=/tmp/tmp.m1WGc0lMSv/data/tst
- mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work
- success
- chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')
- success
- chroot('.')
- success
starting '/tmp/tmp.m1WGc0lMSv/data/tst'
list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
/tmp/tmp.m1WGc0lMSv/data/mnt/scratch:
total 0
Touch file
- touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
Cleaning up
- umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one. |
With rules like the following:
@{TESTDIR}="/tmp/tmp.C2pr86sOTh/data"
@{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt"
alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/,
profile test-profile (attach_disconnected) {
...
# for the test script
@{TOPDIR}/scratch/ r,
@{TOPDIR}/scratch/** rwklix,
...
# required for 'touch @{TOPDIR}/scratch/foo'
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override"
Reproducer:
$ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/
overlay-with-chroot-touch-needs-dac-override/p.in
overlay-with-chroot-touch-needs-dac-override/overlay.c
overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.m1WGc0lMSv'
Ubuntu 4.4.0-83.106-generic 4.4.70
Disabling kernel rate-limiting
kernel.printk_ratelimit = 0
Loading /tmp/tmp.m1WGc0lMSv/data/p
chdir(/tmp/tmp.m1WGc0lMSv/data/mnt)
Creating the overlay directories
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower
Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper
Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
Perform the overlay
lower=/
upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper
work=/tmp/tmp.m1WGc0lMSv/data/mnt/work
where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged
exe=/tmp/tmp.m1WGc0lMSv/data/tst
- mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work
- success
- chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')
- success
- chroot('.')
- success
starting '/tmp/tmp.m1WGc0lMSv/data/tst'
list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
/tmp/tmp.m1WGc0lMSv/data/mnt/scratch:
total 0
Touch file
- touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
Cleaning up
- umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.
I'm not sure if this is a duplicate or related to bug #1703974. |
|