Incorrect denial on umount with bind-mounted mount namespace
Bug #1735459 reported by
Zygmunt Krynicki
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
While developing snap-confine I found that unmount2(
An example denial (from the test program):
lis 30 16:45:27 fyke kernel: audit: type=1400 audit(151205672
The test program will be attached shortly.
To post a comment you must log in.
So yes and no. This is working exactly as the kernel presents this to apparmor, and there is nothing we can do about it at the moment.
specifically all nsfs paths are magic symlinks that resolve to a special kernel mount that does not exist in userspace and all of them resolve to '/'. There is currently nothing that can be done about this.
We have been working on some potential solutions but this is active investigation/dev work and not ready for use.