inconsistent required directory rules needed with overlayfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
With only rules for the merged directory, I see the following denial when trying to do a directory listing on merged:
Jul 11 15:15:56 sec-xenial-amd64 kernel: audit: type=1400 audit(149980415
This can be solved with (note you need both since after allowing upper you see a denial for lower):
/lower/{,**/} r,
/upper/{,**/} r,
Curiously, file rules are not needed and you can read files in merged without lower or upper rules.
Reproducer:
$ tar -zxvf ./overlay-
overlay-
overlay-
overlay-
overlay-
overlay-
Created tmpdir '/tmp/tmp.
Ubuntu 4.4.0-83.
Disabling kernel rate-limiting
kernel.
Loading /tmp/tmp.
chdir(/
Creating the overlay directories
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Perform the overlay
lower=/
upper=/
work=/tmp/
where=/
exe=/tmp/
- mount('overlay', '/tmp/tmp.
- success
starting '/tmp/tmp.
Testing files in overlay
- test read file from lower
- test read file from upper
- test list dir on ./merged
ls: cannot open directory './merged': Permission denied
FAIL: could not read from ./merged/test-upper
Cleaning up
- umount /tmp/tmp.
- rm -rf /tmp/tmp.4W0mxmOnDg
With 4.13.0- 32.35-generic in 18.04 (via livecd), it seems that only this is needed:
/upper/{,**/} r,
AFAICT, /upper/ is not accessible to the process (ls /upper/ or ls /upper/foo) so the rule doesn't seem to be abusable. It would be nice if we didn't need this rule of course.