AppArmor

'ls -d /' not mediated with overlayfs and chroot

Bug #1703991 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

I'm not sure if this is a limitation of mediation or a bug, but performing an 'ls -d /' is allowed after creating an overlayfs on merged and chrooting to merged.

Reproducer:
$ tar -zxvf ./overlay-with-chroot-ls-root.tar.gz && sudo ./overlay-with-chroot-ls-root/drv
overlay-with-chroot-ls-root/
overlay-with-chroot-ls-root/p.in
overlay-with-chroot-ls-root/overlay.c
overlay-with-chroot-ls-root/drv
overlay-with-chroot-ls-root/tst
Created tmpdir '/tmp/tmp.ilA8cS947i'

Ubuntu 4.4.0-83.106-generic 4.4.70

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.ilA8cS947i/data/p

chdir(/tmp/tmp.ilA8cS947i/data/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.ilA8cS947i/data/mnt/lower
- mkdir /tmp/tmp.ilA8cS947i/data/mnt/upper
- mkdir /tmp/tmp.ilA8cS947i/data/mnt/work
- mkdir /tmp/tmp.ilA8cS947i/data/mnt/merged

Populating /tmp/tmp.ilA8cS947i/data/mnt/lower
- /tmp/tmp.ilA8cS947i/data/mnt/lower/test-lower

Populating /tmp/tmp.ilA8cS947i/data/mnt/upper
- /tmp/tmp.ilA8cS947i/data/mnt/upper/test-upper

Perform the overlay
lower=/
upper=/tmp/tmp.ilA8cS947i/data/mnt/upper
work=/tmp/tmp.ilA8cS947i/data/mnt/work
where=/tmp/tmp.ilA8cS947i/data/mnt/merged
exe=/tmp/tmp.ilA8cS947i/data/tst
- mount('overlay', '/tmp/tmp.ilA8cS947i/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.ilA8cS947i/data/mnt/upper,workdir=/tmp/tmp.ilA8cS947i/data/mnt/work
 - success
- chdir('/tmp/tmp.ilA8cS947i/data/mnt/merged')
 - success
- chroot('.')
 - success
starting '/tmp/tmp.ilA8cS947i/data/tst'

ls -ld / (EXFAIL)
- ls -ld /
drwxr-xr-x 1 root root 4096 Jul 12 16:05 /
FAIL: could ls -ld /

- ls / (EXFAIL)
ls: cannot open directory '/': Permission denied

- ls -lR / (EXFAIL)
ls: cannot open directory '/': Permission denied

Cleaning up
- umount /tmp/tmp.ilA8cS947i/data/mnt/merged
- rm -rf /tmp/tmp.ilA8cS947i

Tested on 4.4, 4.10 and 4.11. Not sure if this is a duplicate or related to bug #1703988.

Tags: aa-kernel
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.