AppArmor

'ls -d /' not mediated with overlayfs, pivotroot and chroot

Bug #1703988 reported by Jamie Strandboge
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

I'm not sure if this is a limitation of mediation or a bug, but performing an 'ls -d /' is allowed after creating an overlayfs on merged, pivot_rooting to merged and chrooting to /.

Reproducer:
$ tar -zxvf ./overlay-with-pivotroot-ls-root.tar.gz && sudo ./overlay-with-pivotroot-ls-root/drv
overlay-with-pivotroot-ls-root/
overlay-with-pivotroot-ls-root/p.in
overlay-with-pivotroot-ls-root/overlay.c
overlay-with-pivotroot-ls-root/drv
overlay-with-pivotroot-ls-root/tst
Created tmpdir '/tmp/tmp.GBIqWfpROZ'

Ubuntu 4.10.0-26.30-generic 4.10.17

Disabling kernel rate-limiting
kernel.printk_ratelimit = 0

Loading /tmp/tmp.GBIqWfpROZ/data/p

chdir(/tmp/tmp.GBIqWfpROZ/data/mnt)

Creating the overlay directories
- mkdir /tmp/tmp.GBIqWfpROZ/data/mnt/lower
- mkdir /tmp/tmp.GBIqWfpROZ/data/mnt/upper
- mkdir /tmp/tmp.GBIqWfpROZ/data/mnt/work
- mkdir /tmp/tmp.GBIqWfpROZ/data/mnt/merged

Populating /tmp/tmp.GBIqWfpROZ/data/mnt/lower
- /tmp/tmp.GBIqWfpROZ/data/mnt/lower/test-lower

Populating /tmp/tmp.GBIqWfpROZ/data/mnt/upper
- /tmp/tmp.GBIqWfpROZ/data/mnt/upper/test-upper

Perform the overlay
lower=/
upper=/tmp/tmp.GBIqWfpROZ/data/mnt/upper
work=/tmp/tmp.GBIqWfpROZ/data/mnt/work
where=/tmp/tmp.GBIqWfpROZ/data/mnt/merged
exe=/tmp/tmp.GBIqWfpROZ/data/tst
- unshare(CLONE_NEWNS)
 - success
- mount('/tmp/tmp.GBIqWfpROZ/data/mnt/merged', '/tmp/tmp.GBIqWfpROZ/data/mnt/merged', NULL, MS_BIND, NULL
 - success
- mount('none', '/tmp/tmp.GBIqWfpROZ/data/mnt/merged', NULL, MS_PRIVATE, NULL)
 - success
- mount('overlay', '/tmp/tmp.GBIqWfpROZ/data/mnt/merged', 'overlay', MS_MGC_VAL, lowerdir=/,upperdir=/tmp/tmp.GBIqWfpROZ/data/mnt/upper,workdir=/tmp/tmp.GBIqWfpROZ/data/mnt/work
 - success
- chdir('/tmp/tmp.GBIqWfpROZ/data/mnt/merged')
 - success
- pivot_root('.', '.')
 - success
- chdir('/')
 - success
chroot('.')
 - success
starting '/tmp/tmp.GBIqWfpROZ/data/tst'

ls -ld / (EXFAIL)
- ls -ld /
drwxr-xr-x 1 root root 4096 Jul 12 15:56 /
FAIL: could ls -ld /

- ls / (EXFAIL)
ls: cannot open directory '/': Permission denied

- ls -lR / (EXFAIL)
ls: cannot open directory '/': Permission denied

Cleaning up
- umount /tmp/tmp.GBIqWfpROZ/data/mnt/merged
- rm -rf /tmp/tmp.GBIqWfpROZ

Tested on 4.4, 4.10 and 4.11. Not sure if this is a duplicate or related to bug #1703991.

See original description
Tags: aa-kernel
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.