remount, not honored on bind mounts

Bug #1272028 reported by Serge Hallyn on 2014-01-23
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

I was trying to run docker in a nested container. docker wants to remount a bind-mounted dir as ro. Audit log showed this failed. I first tried to add more specific rules, but when those did not work i tried just

remount,

in the policy. Still the mount was denied. Finally when I added 'mount,', it worked.

Ideally I would be able to say

  remount options=(ro,bind) -> /var/lib/docker/**/,

John Johansen (jjohansen) wrote :

I've tracked this down to a compiler bug where the bind flag is getting cleared from the flags set for remounts.

summary: - remount, not honored
+ remount, not honored on bind mounts
Jamie Strandboge (jdstrand) wrote :

Is this still an issue for you on 14.10?

no longer affects: apparmor (Ubuntu Saucy)
Changed in apparmor (Ubuntu):
status: New → Incomplete
Changed in apparmor (Ubuntu Precise):
status: New → Incomplete
Changed in apparmor (Ubuntu Trusty):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu Utopic) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu Utopic):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu Trusty) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu Trusty):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu Precise) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu Precise):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu):
status: Incomplete → Expired
Ash Wilson (ash-wilson) wrote :

I just hit this myself with AppArmor 2.9.1 in Debian wheezy. Has this been fixed upstream? I've attached a minimal reproduction.

Serge Hallyn (serge-hallyn) wrote :

It's possible that this is a part of the patchset still making its way upstream.

John Johansen (jjohansen) wrote :

Ash,

can you provide the output of

  ls /sys/kernel/security/apparmor/features

and

   apparmor_parser -S <your minimal profile>

the profile binary dump is to just double check that it is the same as what I get locally

Ash Wilson (ash-wilson) wrote :

John,

Sure thing. Here's my /sys/kernel/security/apparmor/features:

capability caps domain file mount namespaces network policy rlimit

The profile dump is attached. Thanks for having a look! I was just starting to trawl through the source to see if it was something I could patch myself, based on your comment.

Ash Wilson (ash-wilson) wrote :

I've attached a patch against the 2.9 branch that's working for me. I'm allowing rbind as well as bind because that's the part of the actual call that caused me to discover this. It looks like an equivalent change could be made against master as well:

http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/parser/mount.h#L106

Should I submit it to the mailing list, too?

John Johansen (jjohansen) wrote :

Ash,

can you attach the /etc/apparmor.d/cache/.features file from your system

Ash Wilson (ash-wilson) wrote :

Hmm, I was scp'ing binaries around and I seem to have broken apparmor_parser on that box at the moment (glibc conflicts - I copied a build from the wrong box by mistake).

I'm travelling over the weekend and early next week - I'll upload it as soon as I have a chance to get that working again.

John Johansen (jjohansen) wrote :

Ash,
your patch was accepted and forwarded to the list

Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - pa...

Read more...

Changed in apparmor (Ubuntu):
status: Expired → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.3 KiB)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5~14.04.1

---------------
apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium

  * Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
    - This allows for proper snap confinement on Ubuntu 14.04 when using the
      hardware enablement kernel (LP: #1641243)
  * Changes made on top of 2.10.95-0ubuntu2.5:
    - debian/apparmor.upstart: Remove the upstart job and continue using the
      init script in 14.04
    - debian/apparmor.postinst, debian/apparmor-profiles.postinst,
      debian/apparmor-profiles.postrm, debian/rules: Revert to using
      invoke-rc.d to load the profiles, rather than reloading them directly,
      since 14.04 will continue using the init script rather than the upstart
      job.
    - debian/apparmor.init, debian/lib/apparmor/functions,
      debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
      dealing with AppArmor policy in system image based environments since
      this 14.04 package will not need to handle such environments. This
      removes the handle_system_policy_package_updates(),
      compare_previous_version(), compare_and_save_debsums() functions and
      their callers.
    - debian/apparmor.init: Continue using running-in-container since
      systemd-detect-virt doesn't exist on 14.04
    - debian/lib/apparmor/functions, debian/apparmor.init: Remove the
      is_container_with_internal_policy() function and adjust its call sites
      in apparmor.init so that AppArmor policy is not loaded inside of 14.04
      LXD containers (avoids bug #1641236)
    - debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
      profile-load as upstart's apparmor-profile-load is used in 14.04
    - debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
      Continue applying this patch since the dbus version in 14.04 isn't new
      enough to support fetching the AppArmor context from
      org.freedesktop.DBus.GetConnectionCredentials().
    - debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
      libtoolize to replace existing files to fix a libapparmor FTBFS issue on
      14.04.
    - debian/control: Retain the original 14.04 Breaks and ignore the new
      Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
      the enablement of UNIX domain socket mediation. They're not needed in
      this upload since UNIX domain socket mediation is disabled by default so
      updates to the profiles included in those packages are not needed.
    - Preserve the profiles and abstractions from 14.04's
      2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
      top-level profiles-14.04/ directory of the source. They'll be installed
      to debian/tmp/etc/apparmor.d/ during the build process and then to
      /etc/apparmor.d/ on package install so that there are no changes to the
      shipped profiles or abstractions. The abstractions from
      2.10.95-0ubuntu2.5 will be installed into
      debian/tmp/snap/etc/apparmor.d/ during the build process and then into
      /etc/apparmor.d/snap/abstractions/ on package install for use wit...

Read more...

Changed in apparmor (Ubuntu Trusty):
status: Expired → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers