capability dac_override needed with overlayfs and chroot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
With rules like the following:
@{TESTDIR}
@{TOPDIR}
alias / -> /tmp/tmp.
profile test-profile (attach_
...
# for the test script
@{TOPDIR}
@{TOPDIR}
...
# required for 'touch @{TOPDIR}
#capability dac_override,
}
and setting up up an overlay with lower as '/', merged on TOPDIR/merged and chroot to TOPDIR/merged, touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:
Jul 12 08:33:51 sec-xenial-amd64 kernel: audit: type=1400 audit(149986643
Reproducer:
$ tar -zxvf ./overlay-
overlay-
overlay-
overlay-
overlay-
overlay-
Created tmpdir '/tmp/tmp.
Ubuntu 4.4.0-83.
Disabling kernel rate-limiting
kernel.
Loading /tmp/tmp.
chdir(/
Creating the overlay directories
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
- mkdir /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Populating /tmp/tmp.
- /tmp/tmp.
Creating /tmp/tmp.
Perform the overlay
lower=/
upper=/
work=/tmp/
where=/
exe=/tmp/
- mount('overlay', '/tmp/tmp.
- success
- chdir('
- success
- chroot('.')
- success
starting '/tmp/tmp.
list /tmp/tmp.
- ls -ld /tmp/tmp.
drwxr-xr-x 2 root root 4096 Jul 12 08:33 /tmp/tmp.
- ls -lR /tmp/tmp.
/tmp/tmp.
total 0
Touch file
- touch /tmp/tmp.
touch: cannot touch '/tmp/tmp.
FAIL: could touch /tmp/tmp.
Cleaning up
- umount /tmp/tmp.
- rm -rf /tmp/tmp.m1WGc0lMSv
Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.
I'm not sure if this is a duplicate or related to bug #1703974.