With the above, the expectation was for the denial to be /tmp/bin/bash. There are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable (investigation is needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/tmp) {} such that '/bin/bash' maps to '/tmp/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include <tunables/global>
profile foo {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare( CLONE_NEWUSER) ; CLONE_NEWNS) ;
unshare(
for (i = 1; i < argc; i++) { "upperdir= ,lowerdir= /") + 2; %s,lowerdir= /", argv[i]); "upperdir= ,lowerdir= /mnt") + 2; %s,lowerdir= /mnt", argv[i]);
if (i == 1) {
len = strlen(argv[i]) + strlen(
options = alloca(len);
ret = snprintf(options, len, "upperdir=
}
else {
len = strlen(argv[i]) + strlen(
options = alloca(len);
ret = snprintf(options, len, "upperdir=
}
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/"); "/bin/bash" , "/bin/bash", NULL);
execl(
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp 8.613:712) : apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(141838749
With the above, the expectation was for the denial to be /tmp/bin/bash. There are three ways forward: disconnected= /tmp) {} such that '/bin/bash' maps to '/tmp/bin/bash'.
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable (investigation is needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy