capability dac_override needed with overlayfs and pivotroot

With rules like the following:

@{TESTDIR}="/tmp/tmp.kbwtjBnQb0/data"
@{TOPDIR}="/tmp/tmp.kbwtjBnQb0/data/mnt"

profile test-profile (attach_disconnected) {
...
  # for the test script
  @{TOPDIR}/scratch/ r,
  @{TOPDIR}/scratch/** rwklix,
...
  # required for 'touch @{TOPDIR}/scratch/foo'
  #capability dac_override,
}

and setting up the mount namespace with:

- unshare(CLONE_NEWNS)
- mount('/tmp/tmp.kbwtjBnQb0/data/mnt/merged', '/tmp/tmp.kbwtjBnQb0/data/mnt/merged', NULL, MS_BIND, NULL)
- mount('none', '/tmp/tmp.kbwtjBnQb0/data/mnt/merged', NULL, MS_PRIVATE, NULL)
- mount('overlay', '/tmp/tmp.kbwtjBnQb0/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.kbwtjBnQb0/data/mnt/upper,workdir=/tmp/tmp.kbwtjBnQb0/data/mnt/work)
- chdir('/tmp/tmp.kbwtjBnQb0/data/mnt/merged')
- pivot_root('.', '.')
- chdir('/')
- chroot('.')

touching files under @{TOPDIR}/scratch requires dac_override even though the directories are root:root and the process is running as root:

Jul 12 14:56:24 sec-xenial-amd64 kernel: audit: type=1400 audit(1499889384.678:98): apparmor="DENIED" operation="capable" profile="test-profile" pid=4317 comm="touch" capability=1 capname="dac_override"

Reproducer:
$ tar -zxvf ./overlay-with-pivotroot-touch-needs-dac-override.tar.gz && sudo ./overlay-with-pivotroot-touch-needs-dac-override/drv
overlay-with-pivotroot-touch-needs-dac-override/
overlay-with-pivotroot-touch-needs-dac-override/p.in
overlay-with-pivotroot-touch-needs-dac-override/overlay.c
overlay-with-pivotroot-touch-needs-dac-override/drv
overlay-with-pivotroot-touch-needs-dac-override/tst
Created tmpdir '/tmp/tmp.qg9DDhY52U'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.qg9DDhY52U/data/p

chdir(/tmp/tmp.qg9DDhY52U/data/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.qg9DDhY52U/data/mnt/lower
- mkdir /tmp/tmp.qg9DDhY52U/data/mnt/upper
- mkdir /tmp/tmp.qg9DDhY52U/data/mnt/work
- mkdir /tmp/tmp.qg9DDhY52U/data/mnt/merged

Populating /tmp/tmp.qg9DDhY52U/data/mnt/lower
- /tmp/tmp.qg9DDhY52U/data/mnt/lower/test-lower

Populating /tmp/tmp.qg9DDhY52U/data/mnt/upper
- /tmp/tmp.qg9DDhY52U/data/mnt/upper/test-upper

Creating /tmp/tmp.qg9DDhY52U/data/mnt/scratch

Perform the overlay
lower=/
upper=/tmp/tmp.qg9DDhY52U/data/mnt/upper
work=/tmp/tmp.qg9DDhY52U/data/mnt/work
where=/tmp/tmp.qg9DDhY52U/data/mnt/merged
exe=/tmp/tmp.qg9DDhY52U/data/tst
- unshare(CLONE_NEWNS)
 - success
- mount('/tmp/tmp.qg9DDhY52U/data/mnt/merged', '/tmp/tmp.qg9DDhY52U/data/mnt/merged', NULL, MS_BIND, NULL
 - success
- mount('none', '/tmp/tmp.qg9DDhY52U/data/mnt/merged', NULL, MS_PRIVATE, NULL)
 - success
- mount('overlay', '/tmp/tmp.qg9DDhY52U/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.qg9DDhY52U/data/mnt/upper,workdir=/tmp/tmp.qg9DDhY52U/data/mnt/work
 - success
- chdir('/tmp/tmp.qg9DDhY52U/data/mnt/merged')
 - success
- pivot_root('.', '.')
 - success
- chdir('/')
 - success
chroot('.')
 - success
starting '/tmp/tmp.qg9DDhY52U/data/tst'

list /tmp/tmp.qg9DDhY52U/data/mnt/scratch
- ls -ld /tmp/tmp.qg9DDhY52U/data/mnt/scratch
drwxr-xr-x 2 root root 4096 Jul 12 14:56 /tmp/tmp.qg9DDhY52U/data/mnt/scratch

- ls -lR /tmp/tmp.qg9DDhY52U/data/mnt/scratch
/tmp/tmp.qg9DDhY52U/data/mnt/scratch:
total 0

Touch file
- touch /tmp/tmp.qg9DDhY52U/data/mnt/scratch/test-touch
touch: cannot touch '/tmp/tmp.qg9DDhY52U/data/mnt/scratch/test-touch': Permission denied
FAIL: could touch /tmp/tmp.qg9DDhY52U/data/mnt/scratch/test-touch

Cleaning up
- umount /tmp/tmp.qg9DDhY52U/data/mnt/merged
- rm -rf /tmp/tmp.qg9DDhY52U

Confirmed on 4.4, 4.10 and 4.11. Note that on 4.11 I see two dac_override denials: one for bug #1703665 and one for this one.

I'm not sure if this is a duplicate or related to bug #1703835.