Comment 3 for bug 925028

There is apparently still a bug in overlayfs with apparmor. If I do

mkdir /tmp/lower
mount -t overlayfs -o rw,upperdir=/tmp/lower,lowerdir=/ overlay /mnt

I can ls /mnt and see the overlay of / jsut fine. Then I create /etc/apparmor.d/sergebashtest which contains:

===============
#include <tunables/global>

/bin/bash2 flags=(attach_disconnected) {
  network,

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability setgid,
  capability setuid,
  capability setpcap,
  capability linux_immutable,
  capability net_bind_service,
  capability net_broadcast,
  capability net_admin,
  capability net_raw,
  capability ipc_lock,
  capability ipc_owner,
  capability sys_module,
  capability sys_rawio,
  capability sys_chroot,
  capability sys_ptrace,
  capability sys_pacct,
  capability sys_admin,
  capability sys_boot,
  capability sys_nice,
  capability sys_resource,
  capability sys_time,
  capability sys_tty_config,
  capability mknod,
  capability lease,
  capability audit_write,
  capability audit_control,
  capability setfcap,
  capability mac_override,
  capability mac_admin,
  capability syslog,

  / rwklix,
  /** rwklix,

}

==================
and insert that with 'apparmor_parser /etc/apparmor.d/sergebashtest, and cp /bin/bash /bin/bash2.

Then I do /bin/bash2 and ls /mnt from there, and get:

root@sergelap:/etc/apparmor.d# ls /mnt
ls: cannot access /mnt: Invalid argument

though I can ls /tmp/lower and / just fine.