capability dac_override needed with overlayfs when deleting file from lower

Bug #1703670 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

On 4.4, I see the following denial when trying to delete a file in the lower filesystem from the merged filesystem:

Jul 11 14:50:12 sec-xenial-amd64 kernel: audit: type=1400 audit(1499802612.546:68): apparmor="DENIED" operation="capable" profile="test-profile" pid=2247 comm="rm" capability=1 capname="dac_override"

Reproducer:
$ tar -zxvf ./overlay-requires-dac_override-with-delete-lower.tar.gz && sudo ./overlay-requires-dac_override-with-delete-lower/drv
overlay-requires-dac_override-with-delete-lower/
overlay-requires-dac_override-with-delete-lower/p.in
overlay-requires-dac_override-with-delete-lower/overlay.c
overlay-requires-dac_override-with-delete-lower/drv
overlay-requires-dac_override-with-delete-lower/tst
Created tmpdir '/tmp/tmp.rwNjTft1lW'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.rwNjTft1lW/data/p

chdir(/tmp/tmp.rwNjTft1lW/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.rwNjTft1lW/mnt/lower
- mkdir /tmp/tmp.rwNjTft1lW/mnt/upper
- mkdir /tmp/tmp.rwNjTft1lW/mnt/work
- mkdir /tmp/tmp.rwNjTft1lW/mnt/merged

Populating /tmp/tmp.rwNjTft1lW/mnt/lower
- /tmp/tmp.rwNjTft1lW/mnt/lower/test-lower

ls -lr /tmp/tmp.rwNjTft1lW
/tmp/tmp.rwNjTft1lW:
total 8
drwxr-xr-x 2 root root 4096 Jul 11 14:50 data
drwxr-xr-x 6 root root 4096 Jul 11 14:50 mnt

/tmp/tmp.rwNjTft1lW/data:
total 44
-rwxr-xr-x 1 root root 1498 Jul 11 14:50 drv
-rwxr-xr-x 1 root root 16480 Jul 11 14:50 overlay
-rw-r--r-- 1 root root 5531 Jul 11 14:50 overlay.c
-rw-r--r-- 1 root root 740 Jul 11 14:50 p
-rw-r--r-- 1 root root 723 Jul 11 14:50 p.in
-rwxr-xr-x 1 root root 313 Jul 11 14:50 tst

/tmp/tmp.rwNjTft1lW/mnt:
total 16
drwxr-xr-x 2 root root 4096 Jul 11 14:50 lower
drwxr-xr-x 2 root root 4096 Jul 11 14:50 merged
drwxr-xr-x 2 root root 4096 Jul 11 14:50 upper
drwxr-xr-x 2 root root 4096 Jul 11 14:50 work

/tmp/tmp.rwNjTft1lW/mnt/lower:
total 4
-rw-r--r-- 1 root root 6 Jul 11 14:50 test-lower

/tmp/tmp.rwNjTft1lW/mnt/merged:
total 0

/tmp/tmp.rwNjTft1lW/mnt/upper:
total 0

/tmp/tmp.rwNjTft1lW/mnt/work:
total 0

Perform the overlay
lower=/tmp/tmp.rwNjTft1lW/mnt/lower
upper=/tmp/tmp.rwNjTft1lW/mnt/upper
work=/tmp/tmp.rwNjTft1lW/mnt/work
where=/tmp/tmp.rwNjTft1lW/mnt/merged
exe=/tmp/tmp.rwNjTft1lW/data/tst
- mount('overlay', '/tmp/tmp.rwNjTft1lW/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/tmp/tmp.rwNjTft1lW/mnt/lower,upperdir=/tmp/tmp.rwNjTft1lW/mnt/upper,workdir=/tmp/tmp.rwNjTft1lW/mnt/work
 - success
starting '/tmp/tmp.rwNjTft1lW/data/tst'

Testing files in overlay
- remove lower from merged
 - rm -f ./merged/test-lower
rm: cannot remove './merged/test-lower': Permission denied
FAIL: could not delete ./merged/test-lower

Cleaning up
- umount /tmp/tmp.rwNjTft1lW/mnt/merged
- rm -rf /tmp/tmp.rwNjTft1lW

With the 4.10 and 4.11 kernels with the same reproducer I also see a dac_read_search denial:

Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(1499802620.813:52): apparmor="DENIED" operation="capable" profile="test-profile" pid=2152 comm="rm" capability=1 capname="dac_override"
Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(1499802620.813:53): apparmor="DENIED" operation="capable" profile="test-profile" pid=2152 comm="rm" capability=2 capname="dac_read_search"

Tags: aa-kernel
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Testing with the Ubuntu 4.13.0-32.35-generic 4.13.13 kernel on the 18.04 livecd, this doesn't seem to still be an issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.