incorrect file mediation with chroot to merged overlayfs directory in a subdir of a directory with full access
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
The summary is rather long, but the problem arises when the merged directory of an overlayfs mount is under another directory that the application has full access to and we use '/' as the lowerdir and chroot into merged.
This simulates the situation of something like schroot that wants a readonly '/' with all writes handled by overlay, but the merged mountpoint happens to be under a directory that schroot has full access to.
This also simulates what might happen in snappy if we allowed overlayfs in an interface. Because the snap has limited write areas (eg, COMMONDIR below), it would create a mountpoint in one of them (eg, TOPDIR as a subdir of COMMONDIR, below). If the snap used (and policy allowed it) '/' as the lower dir and did a chroot onto merged, then the snap could access files in / that it shouldn't.
Eg
@{TESTDIR}
@{COMMONDIR}
@{TOPDIR}
# merged/ is under COMMONDIR and because we give full access to COMMONDIR, the
# following alias rule ends up granting access to files in / as if they were in
# COMMONDIR (directories are correctly mediated)
alias / -> /tmp/tmp.
profile test-profile (attach_
...
# full access to COMMONDIR
@{COMMONDIR}/ rw,
@{COMMONDIR}/** rwklix,
...
mount fstype=overlay overlay -> @{TOPDIR}/merged/,
}
Notice that there are no rules for @{TOPDIR}/merged in the policy. With the above, directories are properly mediated, but file and exec rules are not.
Reproducer:
$ tar -zxvf ./overlay-
overlay-
overlay-
overlay-
overlay-
overlay-
Created tmpdir '/tmp/tmp.
Ubuntu 4.10.0-
Disabling kernel rate-limiting
kernel.
Loading /tmp/tmp.
chdir(/
Creating the overlay directories
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Creating /tmp/tmp.
Perform the overlay
lower=/
upper=/
work=/tmp/
where=/
exe=/tmp/
- mount('overlay', '/tmp/tmp.
- success
- chdir('
- success
- chroot('.')
- success
starting '/tmp/tmp.
Test /etc (expect denied dir)
ls: cannot open directory '/etc': Permission denied
Test /etc/shadow (expect denied file read)
daemon:
FAIL: could access /etc/shadow
Test netstat --version (expect denied exec)
/tmp/tmp.
Cleaning up
- umount /tmp/tmp.
- rm -rf /tmp/tmp.sQqTm4RqpW
The fact that directories are properly mediated here and that upper and lower rules are needed in bug #1703674 for directories makes me think that this bug and bug #1703674 may be related.