attach_disconnected not sufficient for overlayfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Invalid
|
Critical
|
John Johansen | ||
MAAS |
Invalid
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Invalid
|
Critical
|
Steve Beattie | ||
linux (Ubuntu) |
Invalid
|
Critical
|
John Johansen |
Bug Description
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include <tunables/global>
profile foo {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen(
options = alloca(len);
ret = snprintf(options, len, "upperdir=
}
else {
len = strlen(argv[i]) + strlen(
options = alloca(len);
ret = snprintf(options, len, "upperdir=
}
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl(
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(141838749
With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable. UPDATE: upstream is currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_
description: | updated |
Changed in apparmor: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → John Johansen (jjohansen) |
Changed in apparmor (Ubuntu): | |
status: | In Progress → Confirmed |
assignee: | John Johansen (jjohansen) → Steve Beattie (sbeattie) |
Changed in linux (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
importance: | Undecided → Critical |
status: | New → Confirmed |
tags: | added: kernel-key |
summary: |
- allow defining the attach root for attach_disconnected + attach_disconnected not sufficient for overlayfs |
tags: |
added: kernel-da-key removed: kernel-key |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Confirmed → Triaged |
tags: | removed: kernel-da-key |
Hi! What kind of (realistic) timeline can we expect here? (With the move to ZFS for containers, I wonder :)
E.g. is this part of your goals for 16.10? (I mean: for the AppArmor/ Ubuntu- specific parts, as I've learnt to be patient wrt. the upstreaming to Linux mainline.)
Thanks for your work on AppArmor!