AppArmor

capability dac_override needed with overlayfs when deleting file from lower

Bug #1703670 reported by Jamie Strandboge on 2017-07-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

On 4.4, I see the following denial when trying to delete a file in the lower filesystem from the merged filesystem:

Jul 11 14:50:12 sec-xenial-amd64 kernel: audit: type=1400 audit(1499802612.546:68): apparmor="DENIED" operation="capable" profile="test-profile" pid=2247 comm="rm" capability=1 capname="dac_override"

Reproducer:
$ tar -zxvf ./overlay-requires-dac_override-with-delete-lower.tar.gz && sudo ./overlay-requires-dac_override-with-delete-lower/drv
overlay-requires-dac_override-with-delete-lower/
overlay-requires-dac_override-with-delete-lower/p.in
overlay-requires-dac_override-with-delete-lower/overlay.c
overlay-requires-dac_override-with-delete-lower/drv
overlay-requires-dac_override-with-delete-lower/tst
Created tmpdir '/tmp/tmp.rwNjTft1lW'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.rwNjTft1lW/data/p

chdir(/tmp/tmp.rwNjTft1lW/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.rwNjTft1lW/mnt/lower
- mkdir /tmp/tmp.rwNjTft1lW/mnt/upper
- mkdir /tmp/tmp.rwNjTft1lW/mnt/work
- mkdir /tmp/tmp.rwNjTft1lW/mnt/merged

Populating /tmp/tmp.rwNjTft1lW/mnt/lower
- /tmp/tmp.rwNjTft1lW/mnt/lower/test-lower

ls -lr /tmp/tmp.rwNjTft1lW
/tmp/tmp.rwNjTft1lW:
total 8
drwxr-xr-x 2 root root 4096 Jul 11 14:50 data
drwxr-xr-x 6 root root 4096 Jul 11 14:50 mnt

/tmp/tmp.rwNjTft1lW/data:
total 44
-rwxr-xr-x 1 root root 1498 Jul 11 14:50 drv
-rwxr-xr-x 1 root root 16480 Jul 11 14:50 overlay
-rw-r--r-- 1 root root 5531 Jul 11 14:50 overlay.c
-rw-r--r-- 1 root root 740 Jul 11 14:50 p
-rw-r--r-- 1 root root 723 Jul 11 14:50 p.in
-rwxr-xr-x 1 root root 313 Jul 11 14:50 tst

/tmp/tmp.rwNjTft1lW/mnt:
total 16
drwxr-xr-x 2 root root 4096 Jul 11 14:50 lower
drwxr-xr-x 2 root root 4096 Jul 11 14:50 merged
drwxr-xr-x 2 root root 4096 Jul 11 14:50 upper
drwxr-xr-x 2 root root 4096 Jul 11 14:50 work

/tmp/tmp.rwNjTft1lW/mnt/lower:
total 4
-rw-r--r-- 1 root root 6 Jul 11 14:50 test-lower

/tmp/tmp.rwNjTft1lW/mnt/merged:
total 0

/tmp/tmp.rwNjTft1lW/mnt/upper:
total 0

/tmp/tmp.rwNjTft1lW/mnt/work:
total 0

Perform the overlay
lower=/tmp/tmp.rwNjTft1lW/mnt/lower
upper=/tmp/tmp.rwNjTft1lW/mnt/upper
work=/tmp/tmp.rwNjTft1lW/mnt/work
where=/tmp/tmp.rwNjTft1lW/mnt/merged
exe=/tmp/tmp.rwNjTft1lW/data/tst
- mount('overlay', '/tmp/tmp.rwNjTft1lW/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/tmp/tmp.rwNjTft1lW/mnt/lower,upperdir=/tmp/tmp.rwNjTft1lW/mnt/upper,workdir=/tmp/tmp.rwNjTft1lW/mnt/work
- success
starting '/tmp/tmp.rwNjTft1lW/data/tst'

Testing files in overlay
- remove lower from merged
- rm -f ./merged/test-lower
rm: cannot remove './merged/test-lower': Permission denied
FAIL: could not delete ./merged/test-lower

Cleaning up
- umount /tmp/tmp.rwNjTft1lW/mnt/merged
- rm -rf /tmp/tmp.rwNjTft1lW

With the 4.10 and 4.11 kernels with the same reproducer I also see a dac_read_search denial:

Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(1499802620.813:52): apparmor="DENIED" operation="capable" profile="test-profile" pid=2152 comm="rm" capability=1 capname="dac_override"
Jul 11 14:50:20 sec-artful-amd64 kernel: audit: type=1400 audit(1499802620.813:53): apparmor="DENIED" operation="capable" profile="test-profile" pid=2152 comm="rm" capability=2 capname="dac_read_search"

Tags: