[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
@fnordahl Hi! Let's keep the discussion about bug 1701297 in that bug
since it is focused on the change in behavior between the Xenial release
kernel and the HWE kernel. That's not what this bug is about. John is
investigating the change in behavior issue. Jamie's previous
investigations of overlayfs/apparmor were solely focused on the Xenial
release kernel so we should not pull him in at the moment as it would
divert his focus from other high priority workk.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Invalid
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
@andreserl
There are severe security implications of doing 2) from now until all
future, and unfortunately I have seen that this is being done in the
wild.
I would be much more comfortable by actually finding the root cause of
the issue at hand and fixing that.
This is what I am currently pursuing, so please share any information
about the actual upstream kernel problem you may have.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Invalid
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
@Frode,
Users running 2.2 *already* have the apparmor=0 work around for
*ephemeral* environments only.
For users running previous versions, we recommend you upgrade
immediately, provided that 2.0 and 2.1 are out of support. If you decide
not to upgrade, your options are:
1. Use a HWE kernel (such as hwe-16.04).
https://bugs.launchpad.net/cloud-init/+bug/1701297/comments/21
2. Use apparmor=0 as a global/machine kernel param (this will result in the
deployed machine with apparmor disabled)
Marking this invalid for MAAS provided the bug is overlayfs.
** Changed in: maas
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Invalid
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
@Frode, I can yes, when I file them. I need to do a bit of work for
simple reproducers/etc/etc to file them. I've added an item to add a
comment to this bug when I do.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Incomplete
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
This problem has surfaced again with recent MAAS Ubuntu images. One
report in bug 1701297. I have information about at least two other end
users hit by the problem.
Adding a workaround by setting apparmor=0 kernel parameter in MAAS 2.2
will not help users that are running previous versions.
@jdstrand Would you care to reference the other bugs you created from
your investigation?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Incomplete
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Actually, I marked the MAAS task as incomplete in case people want to
give feedback.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Incomplete
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Closing the MAAS task as it the referenced bug is marked Fix Release. If
there are issues there still, please see my previous comment and look at
the code in that snap-- there are viable ways to use overlayfs with
chroot and an apparmor alias rule, or overlayfs with private mount,
chroot and pivot_root.
** Changed in: maas
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Incomplete
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Ok, I spent quite a bit of time evaluating this and believe this bug can
be closed, but other bugs open.
In looking at this I created https://code.launchpad.net/~jdstrand/+git
/test-overlay (to build simply git clone, run 'snapcraft', install the
snap and then run 'test-overlay' for instructions on how to test
different things).
For this bug, the test code was broken and it didn't pivot_root. I'm not
sure if it did pivot_root back when this was filed (I didn't check). The
use of attach_disconnected is required because upperdir (man 8 mount,
look for overlay) is disconnected. Once attach_disconnected is present,
all file paths are mediatable:
- when using just an overlay, the paths show up where you expect them to be in
the filesystem
- when using overlay plus chroot paths are mediatable but an alias rule is
really needed to have worthwhile policy (otherwise you need to keep the
inner-chroot policy and outer-system policy in sync). Also logged denials have
the overlay mountpoint prefixed. This is consistent with how apparmor works
with chroots
- when using overlay plus private mount namespace plus pivot_root, no alias
rule is required and logged path denials look like the system paths (ie, the
overlay mountpoint is not prefixed)
In all, closing this bug as Invalid. I'll be filing new bugs for various
issues I found in my investigation.
** Changed in: linux (Ubuntu)
Status: Triaged => Won't Fix
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: apparmor
Status: In Progress => Invalid
** Changed in: apparmor (Ubuntu)
Status: Won't Fix => Invalid
** Changed in: linux (Ubuntu)
Status: Won't Fix => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
Invalid
Status in MAAS:
Incomplete
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
@lamont does this need to have a MAAS task? Are we going to address it
somehow in MAAS?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in MAAS:
New
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Tags removed: kernel-da-key
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in MAAS:
New
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
This bug causes maas testing to fail (at least the ntp test, because of
overlayfs and apparmor and ntp having a profile.) See
https://bugs.launchpad.net/maas/+bug/1677336
Hardware testing is a requirement for MAAS 2.2.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in MAAS:
New
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Also affects: maas
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in MAAS:
New
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Hi! What kind of (realistic) timeline can we expect here? (With the move
to ZFS for containers, I wonder :)
E.g. is this part of your goals for 16.10? (I mean: for the AppArmor
/Ubuntu-specific parts, as I've learnt to be patient wrt. the
upstreaming to Linux mainline.)
Thanks for your work on AppArmor!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Changed in: linux (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Description changed:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include alloca.h
#include linux/sched.h
#include stdio.h
#include string.h
#include sys/mount.h
#include fcntl.h
#include unistd.h
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/, argv[i]);
}
else {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/mnt) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/mnt,
argv[i]);
}
mount(overlayfs, /mnt, overlayfs, MS_MGC_VAL, options);
}
chdir(/mnt);
pivot_root(., .);
chroot(.);
chdir(/);
execl(/bin/bash, /bin/bash, NULL);
}
$ sudo apparmor_parser -r ./profile aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor=DENIED operation=exec info=Failed name
lookup - disconnected path error=-13 profile=foo name=/bin/bash pid=18255
comm=a.out requested_mask=x denied_mask=x fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
- 1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable (investigation is
needed)
+ 1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor Linux application security framework:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include alloca.h
#include linux/sched.h
#include stdio.h
#include string.h
#include sys/mount.h
#include fcntl.h
#include unistd.h
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/, argv[i]);
}
else {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/mnt) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/mnt,
argv[i]);
}
mount(overlayfs, /mnt, overlayfs, MS_MGC_VAL, options);
}
chdir(/mnt);
pivot_root(., .);
chroot(.);
chdir(/);
execl(/bin/bash, /bin/bash, NULL);
}
$ sudo apparmor_parser -r ./profile aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor=DENIED operation=exec info=Failed name
lookup - disconnected path error=-13 profile=foo name=/bin/bash pid=18255
comm=a.out requested_mask=x denied_mask=x fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Tags removed: kernel-key
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor Linux application security framework:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include alloca.h
#include linux/sched.h
#include stdio.h
#include string.h
#include sys/mount.h
#include fcntl.h
#include unistd.h
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/, argv[i]);
}
else {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/mnt) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/mnt,
argv[i]);
}
mount(overlayfs, /mnt, overlayfs, MS_MGC_VAL, options);
}
chdir(/mnt);
pivot_root(., .);
chroot(.);
chdir(/);
execl(/bin/bash, /bin/bash, NULL);
}
$ sudo apparmor_parser -r ./profile aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor=DENIED operation=exec info=Failed name
lookup - disconnected path error=-13 profile=foo name=/bin/bash pid=18255
comm=a.out requested_mask=x denied_mask=x fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable (investigation is
needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
** Summary changed:
- allow defining the attach root for attach_disconnected
+ attach_disconnected not sufficient for overlayfs
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor Linux application security framework:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include alloca.h
#include linux/sched.h
#include stdio.h
#include string.h
#include sys/mount.h
#include fcntl.h
#include unistd.h
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/, argv[i]);
}
else {
len = strlen(argv[i]) + strlen(upperdir=,lowerdir=/mnt) + 2;
options = alloca(len);
ret = snprintf(options, len, upperdir=%s,lowerdir=/mnt,
argv[i]);
}
mount(overlayfs, /mnt, overlayfs, MS_MGC_VAL, options);
}
chdir(/mnt);
pivot_root(., .);
chroot(.);
chdir(/);
execl(/bin/bash, /bin/bash, NULL);
}
$ sudo apparmor_parser -r ./profile aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor=DENIED operation=exec info=Failed name
lookup - disconnected path error=-13 profile=foo name=/bin/bash pid=18255
comm=a.out requested_mask=x denied_mask=x fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable (investigation is
needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
