AppArmor

capability dac_override denial with overlayfs on 4.11

Bug #1703665 reported by Jamie Strandboge on 2017-07-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

On a 4.11, I see the following denial when trying to use overlay in any capacity:

Jul 11 14:06:46 iolanthe kernel: audit: type=1400 audit(1499800006.231:258886): apparmor="DENIED" operation="capable" profile="test-profile" pid=2638 comm="overlay-dac-ove" capability=1 capname="dac_override"

Reproducer:
$ tar -zxvf ./overlay-requires-dac_override.tar.gz
overlay-requires-dac_override/
overlay-requires-dac_override/p.in
overlay-requires-dac_override/overlay-dac-override.c
overlay-requires-dac_override/drv
overlay-requires-dac_override/tst

$ sudo ./overlay-requires-dac_override/drv
Created tmpdir '/tmp/tmp.AuCzfMgEE3'

Ubuntu 4.11.0-10.15-generic 4.11.8

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.AuCzfMgEE3/data/p

chdir(/tmp/tmp.AuCzfMgEE3/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.AuCzfMgEE3/mnt/lower
- mkdir /tmp/tmp.AuCzfMgEE3/mnt/upper
- mkdir /tmp/tmp.AuCzfMgEE3/mnt/work
- mkdir /tmp/tmp.AuCzfMgEE3/mnt/merged

ls -lr /tmp/tmp.AuCzfMgEE3
/tmp/tmp.AuCzfMgEE3:
total 8
drwxr-xr-x 2 root root 4096 Jul 11 14:06 data
drwxr-xr-x 6 root root 4096 Jul 11 14:06 mnt

/tmp/tmp.AuCzfMgEE3/data:
total 36
-rwxr-xr-x 1 root root 1398 Jul 11 14:06 drv
-rwxr-xr-x 1 root root 16096 Jul 11 14:06 overlay-dac-override
-rw-r--r-- 1 root root 2029 Jul 11 14:06 overlay-dac-override.c
-rw-r--r-- 1 root root 941 Jul 11 14:06 p
-rw-r--r-- 1 root root 924 Jul 11 14:06 p.in
-rwxr-xr-x 1 root root 789 Jul 11 14:06 tst

/tmp/tmp.AuCzfMgEE3/mnt:
total 16
drwxr-xr-x 2 root root 4096 Jul 11 14:06 lower
drwxr-xr-x 2 root root 4096 Jul 11 14:06 merged
drwxr-xr-x 2 root root 4096 Jul 11 14:06 upper
drwxr-xr-x 2 root root 4096 Jul 11 14:06 work

/tmp/tmp.AuCzfMgEE3/mnt/lower:
total 0

/tmp/tmp.AuCzfMgEE3/mnt/merged:
total 0

/tmp/tmp.AuCzfMgEE3/mnt/upper:
total 0

/tmp/tmp.AuCzfMgEE3/mnt/work:
total 0

Perform the overlay
lower=/tmp/tmp.AuCzfMgEE3/mnt/lower
upper=/tmp/tmp.AuCzfMgEE3/mnt/upper
work=/tmp/tmp.AuCzfMgEE3/mnt/work
where=/tmp/tmp.AuCzfMgEE3/mnt/merged
- mount('overlay', '/tmp/tmp.AuCzfMgEE3/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/tmp/tmp.AuCzfMgEE3/mnt/lower,upperdir=/tmp/tmp.AuCzfMgEE3/mnt/upper,workdir=/tmp/tmp.AuCzfMgEE3/mnt/work
- success