Comment 4 for bug 1408106

Ok, I spent quite a bit of time evaluating this and believe this bug can be closed, but other bugs open.

In looking at this I created https://code.launchpad.net/~jdstrand/+git/test-overlay (to build simply git clone, run 'snapcraft', install the snap and then run 'test-overlay' for instructions on how to test different things).

For this bug, the test code was broken and it didn't pivot_root. I'm not sure if it did pivot_root back when this was filed (I didn't check). The use of attach_disconnected is required because upperdir (man 8 mount, look for overlay) is disconnected. Once attach_disconnected is present, all file paths are mediatable:

- when using just an overlay, the paths show up where you expect them to be in the filesystem
- when using overlay plus chroot paths are mediatable but an alias rule is really needed to have worthwhile policy (otherwise you need to keep the inner-chroot policy and outer-system policy in sync). Also logged denials have the overlay mountpoint prefixed. This is consistent with how apparmor works with chroots
- when using overlay plus private mount namespace plus pivot_root, no alias rule is required and logged path denials look like the system paths (ie, the overlay mountpoint is not prefixed)

In all, closing this bug as Invalid. I'll be filing new bugs for various issues I found in my investigation.