There is apparently still a bug in overlayfs with apparmor. If I do
mkdir /tmp/lower mount -t overlayfs -o rw,upperdir=/tmp/lower,lowerdir=/ overlay /mnt
I can ls /mnt and see the overlay of / jsut fine. Then I create /etc/apparmor.d/sergebashtest which contains:
=============== #include <tunables/global>
/bin/bash2 flags=(attach_disconnected) { network,
capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability kill, capability setgid, capability setuid, capability setpcap, capability linux_immutable, capability net_bind_service, capability net_broadcast, capability net_admin, capability net_raw, capability ipc_lock, capability ipc_owner, capability sys_module, capability sys_rawio, capability sys_chroot, capability sys_ptrace, capability sys_pacct, capability sys_admin, capability sys_boot, capability sys_nice, capability sys_resource, capability sys_time, capability sys_tty_config, capability mknod, capability lease, capability audit_write, capability audit_control, capability setfcap, capability mac_override, capability mac_admin, capability syslog,
/ rwklix, /** rwklix,
}
================== and insert that with 'apparmor_parser /etc/apparmor.d/sergebashtest, and cp /bin/bash /bin/bash2.
Then I do /bin/bash2 and ls /mnt from there, and get:
root@sergelap:/etc/apparmor.d# ls /mnt ls: cannot access /mnt: Invalid argument
though I can ls /tmp/lower and / just fine.
There is apparently still a bug in overlayfs with apparmor. If I do
mkdir /tmp/lower /tmp/lower, lowerdir= / overlay /mnt
mount -t overlayfs -o rw,upperdir=
I can ls /mnt and see the overlay of / jsut fine. Then I create /etc/apparmor. d/sergebashtest which contains:
===============
#include <tunables/global>
/bin/bash2 flags=( attach_ disconnected) {
network,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
capability audit_write,
capability audit_control,
capability setfcap,
capability mac_override,
capability mac_admin,
capability syslog,
/ rwklix,
/** rwklix,
}
================== d/sergebashtest , and cp /bin/bash /bin/bash2.
and insert that with 'apparmor_parser /etc/apparmor.
Then I do /bin/bash2 and ls /mnt from there, and get:
root@sergelap: /etc/apparmor. d# ls /mnt
ls: cannot access /mnt: Invalid argument
though I can ls /tmp/lower and / just fine.