[Bug 1868894] Re: [uc18] docker overlayfs* seems broken

Tue, 31 Mar 2020 10:06:42 -0700 

I can't comment on the interaction of AppArmor and overlay with the
available information. I can say that we already have these rules:

const dockerSupportConnectedPlugAppArmorCore = ` 
# These accesses are necessary for Ubuntu Core 16 and 18, likely due to the
# version of apparmor or the kernel which doesn't resolve the upper layer of an
# overlayfs mount correctly the accesses show up as runc trying to read from
# /system-data/var/snap/docker/common/var-lib-docker/overlay2/$SHA/diff/
/system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/} rwl,
/system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/}
 rwl,
`

The denial of 'apparmor="DENIED" operation="open"
profile="snap.docker.dockerd" name="/system-data/var/snap/docker/common
/var-lib-
docker/overlay2/afce643d5ac2c31f46b8c867c35abea776166c6da199fab370c30af17d314fd7-init/diff/.dockerenv"
pid=2932 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0
ouid=0' doesn't match this though, because '.dockerenv' is a file, not a
directory. If I were to guess, I'd guess that perhaps the snap is
overlaying a file rather than a dir, but again, I don't know for sure.

It would be fine to adjust the policy to use this instead:

/system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**} rwl,
/system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**}
 rwl,

since the snap already has read/write access to these directories when
/system-data is not prepended. I've taken a todo to send up a PR for
this.

** Also affects: snapd
   Importance: Undecided
       Status: New

** Changed in: snapd
       Status: New => Triaged

** Changed in: snapd
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868894

Title:
  [uc18] docker overlayfs* seems broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1868894/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to