I see the following denial when trying to read a file only in the upper dir accessed via merged:
Jul 11 15:04:07 sec-xenial-amd64 kernel: audit: type=1400 audit(1499803447.671:70): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.S41Vv03pBE/mnt/upper/test-upper" pid=2323 comm="grep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
On 4.4 I see only one denial, on 4.10 I see two:
Jul 11 15:04:24 sec-artful-amd64 kernel: audit: type=1400 audit(1499803464.633:56): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.5XbmnPGpzw/mnt/upper" pid=2240 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 11 15:04:24 sec-artful-amd64 kernel: audit: type=1400 audit(1499803464.633:57): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.5XbmnPGpzw/mnt/upper" pid=2240 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
On 4.11 I see three:
Jul 11 15:02:33 iolanthe kernel: audit: type=1400 audit(1499803353.329:420848): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.6akLFxDX5e/mnt/upper/test-upper" pid=7231 comm="grep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 11 15:02:33 iolanthe kernel: audit: type=1400 audit(1499803353.353:420849): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.6akLFxDX5e/mnt/upper" pid=7232 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 11 15:02:33 iolanthe kernel: audit: type=1400 audit(1499803353.353:420850): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="test-profile" name="tmp/tmp.6akLFxDX5e/mnt/upper" pid=7232 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Reproducer:
$ tar -zxvf ./overlay-requires-attach-disconnected-for-upper.tar.gz && sudo ./overlay-requires-attach-disconnected-for-upper/drv
overlay-requires-attach-disconnected-for-upper/
overlay-requires-attach-disconnected-for-upper/p.in
overlay-requires-attach-disconnected-for-upper/overlay.c
overlay-requires-attach-disconnected-for-upper/drv
overlay-requires-attach-disconnected-for-upper/tst
Created tmpdir '/tmp/tmp.S41Vv03pBE'
Ubuntu 4.4.0-83.106-generic 4.4.70
Disabling kernel rate-limiting
kernel.printk_ratelimit = 0
Loading /tmp/tmp.S41Vv03pBE/data/p
chdir(/tmp/tmp.S41Vv03pBE/mnt)
Creating the overlay directories
- mkdir /tmp/tmp.S41Vv03pBE/mnt/lower
- mkdir /tmp/tmp.S41Vv03pBE/mnt/upper
- mkdir /tmp/tmp.S41Vv03pBE/mnt/work
- mkdir /tmp/tmp.S41Vv03pBE/mnt/merged
Populating /tmp/tmp.S41Vv03pBE/mnt/lower
- /tmp/tmp.S41Vv03pBE/mnt/lower/test-lower
Populating /tmp/tmp.S41Vv03pBE/mnt/upper
- /tmp/tmp.S41Vv03pBE/mnt/upper/test-upper
Perform the overlay
lower=/tmp/tmp.S41Vv03pBE/mnt/lower
upper=/tmp/tmp.S41Vv03pBE/mnt/upper
work=/tmp/tmp.S41Vv03pBE/mnt/work
where=/tmp/tmp.S41Vv03pBE/mnt/merged
exe=/tmp/tmp.S41Vv03pBE/data/tst
- mount('overlay', '/tmp/tmp.S41Vv03pBE/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/tmp/tmp.S41Vv03pBE/mnt/lower,upperdir=/tmp/tmp.S41Vv03pBE/mnt/upper,workdir=/tmp/tmp.S41Vv03pBE/mnt/work
- success
starting '/tmp/tmp.S41Vv03pBE/data/tst'
Testing files in overlay
- test read file from upper
grep: ./merged/test-upper: Permission denied
FAIL: could not read from ./merged/test-upper
Cleaning up
- umount /tmp/tmp.S41Vv03pBE/mnt/merged
- rm -rf /tmp/tmp.S41Vv03pBE