capability dac_override needed with overlayfs when deleting file from lower
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
On 4.4, I see the following denial when trying to delete a file in the lower filesystem from the merged filesystem:
Jul 11 14:50:12 sec-xenial-amd64 kernel: audit: type=1400 audit(149980261
Reproducer:
$ tar -zxvf ./overlay-
overlay-
overlay-
overlay-
overlay-
overlay-
Created tmpdir '/tmp/tmp.
Ubuntu 4.4.0-83.
Disabling kernel rate-limiting
kernel.
Loading /tmp/tmp.
chdir(/
Creating the overlay directories
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
ls -lr /tmp/tmp.rwNjTft1lW
/tmp/tmp.
total 8
drwxr-xr-x 2 root root 4096 Jul 11 14:50 data
drwxr-xr-x 6 root root 4096 Jul 11 14:50 mnt
/tmp/tmp.
total 44
-rwxr-xr-x 1 root root 1498 Jul 11 14:50 drv
-rwxr-xr-x 1 root root 16480 Jul 11 14:50 overlay
-rw-r--r-- 1 root root 5531 Jul 11 14:50 overlay.c
-rw-r--r-- 1 root root 740 Jul 11 14:50 p
-rw-r--r-- 1 root root 723 Jul 11 14:50 p.in
-rwxr-xr-x 1 root root 313 Jul 11 14:50 tst
/tmp/tmp.
total 16
drwxr-xr-x 2 root root 4096 Jul 11 14:50 lower
drwxr-xr-x 2 root root 4096 Jul 11 14:50 merged
drwxr-xr-x 2 root root 4096 Jul 11 14:50 upper
drwxr-xr-x 2 root root 4096 Jul 11 14:50 work
/tmp/tmp.
total 4
-rw-r--r-- 1 root root 6 Jul 11 14:50 test-lower
/tmp/tmp.
total 0
/tmp/tmp.
total 0
/tmp/tmp.
total 0
Perform the overlay
lower=/
upper=/
work=/tmp/
where=/
exe=/tmp/
- mount('overlay', '/tmp/tmp.
- success
starting '/tmp/tmp.
Testing files in overlay
- remove lower from merged
- rm -f ./merged/test-lower
rm: cannot remove './merged/
FAIL: could not delete ./merged/test-lower
Cleaning up
- umount /tmp/tmp.
- rm -rf /tmp/tmp.rwNjTft1lW
With the 4.10 and 4.11 kernels with the same reproducer I also see a dac_read_search denial:
Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(149980262
Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(149980262
Testing with the Ubuntu 4.13.0- 32.35-generic 4.13.13 kernel on the 18.04 livecd, this doesn't seem to still be an issue.