I can't comment on the interaction of AppArmor and overlay with the available information. I can say that we already have these rules:
const dockerSupportConnectedPlugAppArmorCore = ` # These accesses are necessary for Ubuntu Core 16 and 18, likely due to the # version of apparmor or the kernel which doesn't resolve the upper layer of an # overlayfs mount correctly the accesses show up as runc trying to read from # /system-data/var/snap/docker/common/var-lib-docker/overlay2/$SHA/diff/ /system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/} rwl, /system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/} rwl, ` The denial of 'apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/system-data/var/snap/docker/common /var-lib- docker/overlay2/afce643d5ac2c31f46b8c867c35abea776166c6da199fab370c30af17d314fd7-init/diff/.dockerenv" pid=2932 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' doesn't match this though, because '.dockerenv' is a file, not a directory. If I were to guess, I'd guess that perhaps the snap is overlaying a file rather than a dir, but again, I don't know for sure. It would be fine to adjust the policy to use this instead: /system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**} rwl, /system-data/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**} rwl, since the snap already has read/write access to these directories when /system-data is not prepended. I've taken a todo to send up a PR for this. ** Also affects: snapd Importance: Undecided Status: New ** Changed in: snapd Status: New => Triaged ** Changed in: snapd Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868894 Title: [uc18] docker overlayfs* seems broken To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1868894/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs