AppArmor

Bug #1703835
Comment #0

Comment 0 for bug 1703835

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-07-12:

With rules like the following:

@{TESTDIR}="/tmp/tmp.C2pr86sOTh/data"
@{TOPDIR}="/tmp/tmp.C2pr86sOTh/data/mnt"

alias / -> /tmp/tmp.C2pr86sOTh/data/mnt/merged/,

profile test-profile (attach_disconnected) {
...
  # for the test script
  @{TOPDIR}/scratch/ r,
  @{TOPDIR}/scratch/** rwklix,
...
  # required for 'touch @{TOPDIR}/scratch/foo'
  #capability dac_override,
}

and setting up up an overlay with lower as '/', merged on TOPDIR and chroot to TOPDIR, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:

Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(1499866431.358:84): apparmor="DENIED" operation="capable" profile="test-profile" pid=3759 comm="touch" capability=1 capname="dac_override"

Reproducer:
$ tar -zxvf ./overlay-with-chroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/
overlay-with-chroot-touch-needs-dac-override/p.in
overlay-with-chroot-touch-needs-dac-override/overlay.c
overlay-with-chroot-touch-needs-dac-override/drv
overlay-with-chroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.m1WGc0lMSv'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.m1WGc0lMSv/data/p

chdir(/tmp/tmp.m1WGc0lMSv/data/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/work
- mkdir /tmp/tmp.m1WGc0lMSv/data/mnt/merged

Populating /tmp/tmp.m1WGc0lMSv/data/mnt/lower
- /tmp/tmp.m1WGc0lMSv/data/mnt/lower/test-lower

Populating /tmp/tmp.m1WGc0lMSv/data/mnt/upper
- /tmp/tmp.m1WGc0lMSv/data/mnt/upper/test-upper

Creating /tmp/tmp.m1WGc0lMSv/data/mnt/scratch

Perform the overlay
lower=/
upper=/tmp/tmp.m1WGc0lMSv/data/mnt/upper
work=/tmp/tmp.m1WGc0lMSv/data/mnt/work
where=/tmp/tmp.m1WGc0lMSv/data/mnt/merged
exe=/tmp/tmp.m1WGc0lMSv/data/tst
- mount('overlay', '/tmp/tmp.m1WGc0lMSv/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.m1WGc0lMSv/data/mnt/upper,workdir=/tmp/tmp.m1WGc0lMSv/data/mnt/work
- success
- chdir('/tmp/tmp.m1WGc0lMSv/data/mnt/merged')
- success
- chroot('.')
- success
starting '/tmp/tmp.m1WGc0lMSv/data/tst'

list /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
- ls -ld /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.m1WGc0lMSv/data/mnt/scratch

- ls -lR /tmp/tmp.m1WGc0lMSv/data/mnt/scratch
/tmp/tmp.m1WGc0lMSv/data/mnt/scratch:
total 0

Touch file
- touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.m1WGc0lMSv/data/mnt/scratch/test-touch

Cleaning up
- umount /tmp/tmp.m1WGc0lMSv/data/mnt/merged
- rm -rf /tmp/tmp.m1WGc0lMSv

Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.