profile test-profile (attach_disconnected) {
...
# for the test script
@{TOPDIR}/scratch/ r,
@{TOPDIR}/scratch/** rwklix,
...
# required for 'touch @{TOPDIR}/scratch/foo'
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR and chroot to TOPDIR, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
With rules like the following:
@{TESTDIR} ="/tmp/ tmp.C2pr86sOTh/ data" ="/tmp/ tmp.C2pr86sOTh/ data/mnt"
@{TOPDIR}
alias / -> /tmp/tmp. C2pr86sOTh/ data/mnt/ merged/ ,
profile test-profile (attach_ disconnected) { /scratch/ r, /scratch/ ** rwklix, /scratch/ foo'
...
# for the test script
@{TOPDIR}
@{TOPDIR}
...
# required for 'touch @{TOPDIR}
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR and chroot to TOPDIR, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(149986643 1.358:84) : apparmor="DENIED" operation="capable" profile= "test-profile" pid=3759 comm="touch" capability=1 capname= "dac_override"
Reproducer: with-chroot- touch-needs- dac-override. tar.gz && sudo ./overlay- with-chroot- touch-needs- dac-override/ drv with-chroot- touch-needs- dac-override/ with-chroot- touch-needs- dac-override/ p.in with-chroot- touch-needs- dac-override/ overlay. c with-chroot- touch-needs- dac-override/ drv with-chroot- touch-needs- dac-override/ tst m1WGc0lMSv'
$ tar -zxvf ./overlay-
overlay-
overlay-
overlay-
overlay-
overlay-
Created tmpdir '/tmp/tmp.
Ubuntu 4.4.0-83. 106-generic 4.4.70
Disabling kernel rate-limiting printk_ ratelimit = 0
kernel.
Loading /tmp/tmp. m1WGc0lMSv/ data/p
chdir(/ tmp/tmp. m1WGc0lMSv/ data/mnt)
Creating the overlay directories m1WGc0lMSv/ data/mnt/ lower m1WGc0lMSv/ data/mnt/ upper m1WGc0lMSv/ data/mnt/ work m1WGc0lMSv/ data/mnt/ merged
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
Populating /tmp/tmp. m1WGc0lMSv/ data/mnt/ lower m1WGc0lMSv/ data/mnt/ lower/test- lower
- /tmp/tmp.
Populating /tmp/tmp. m1WGc0lMSv/ data/mnt/ upper m1WGc0lMSv/ data/mnt/ upper/test- upper
- /tmp/tmp.
Creating /tmp/tmp. m1WGc0lMSv/ data/mnt/ scratch
Perform the overlay tmp/tmp. m1WGc0lMSv/ data/mnt/ upper tmp.m1WGc0lMSv/ data/mnt/ work tmp/tmp. m1WGc0lMSv/ data/mnt/ merged tmp.m1WGc0lMSv/ data/tst m1WGc0lMSv/ data/mnt/ merged' , 'overlay', MS_MGC_VAL, lowerdir= /,upperdir= /tmp/tmp. m1WGc0lMSv/ data/mnt/ upper,workdir= /tmp/tmp. m1WGc0lMSv/ data/mnt/ work /tmp/tmp. m1WGc0lMSv/ data/mnt/ merged' ) m1WGc0lMSv/ data/tst'
lower=/
upper=/
work=/tmp/
where=/
exe=/tmp/
- mount('overlay', '/tmp/tmp.
- success
- chdir('
- success
- chroot('.')
- success
starting '/tmp/tmp.
list /tmp/tmp. m1WGc0lMSv/ data/mnt/ scratch m1WGc0lMSv/ data/mnt/ scratch m1WGc0lMSv/ data/mnt/ scratch
- ls -ld /tmp/tmp.
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.
- ls -lR /tmp/tmp. m1WGc0lMSv/ data/mnt/ scratch m1WGc0lMSv/ data/mnt/ scratch:
/tmp/tmp.
total 0
Touch file m1WGc0lMSv/ data/mnt/ scratch/ test-touch m1WGc0lMSv/ data/mnt/ scratch/ test-touch' : Permission denied m1WGc0lMSv/ data/mnt/ scratch/ test-touch
- touch /tmp/tmp.
touch: cannot touch '/tmp/tmp.
FAIL: could touch /tmp/tmp.
Cleaning up m1WGc0lMSv/ data/mnt/ merged
- umount /tmp/tmp.
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.