Hi Pete, "Hans-Peter Jansen": > Hence I'm only prepared to bisect the standalone version, where the > offending commit is: > > commit f3965b097efec80b18721e1a8cbb4b366985535e > > Sure, no wonder, it's this mondays commit in full... :-(
The standalone version is not git bisect-able, sorry. (from the aufs README) ---------------------------------------------------------------------- ... the aufs2-standalone tree is generated from aufs2-2.6 tree by, - extract new files and modifications. - generate some patch files from modifications. - generate a ChangeLog file from git-log. - commit the files newly and no log messages. this is not git-pull. ---------------------------------------------------------------------- > The question is, how is apparmor able to reveal the original path, as aufs > is executed earlier in the boot process, and the mounts should be covered > by the aufs / mount, shouldn't they? I guess it because aufs opens the real file on its branch internally using a VFS helper. - VFS opens the file in aufs, by calling __dentry_open(). - Aufs opens the same named file in branch, also by __dentry_open(). - the function __dentry_open() calls security_dentry_open(). So the security check for opening is called twice, and the second one is the problem for you (just my guess). I am afrad you need to allow all accesses to the branches. But it may not be acceptable for you. So I'd like to suggest hiding branches in order to prohibit users to access branches but aufs. For example, - mount branches - mount aufs - mount -o bind /tmp/hide /read-only - mount -o bind /tmp/hide /read-write Then the branches can be accessed by aufs only. No one else cannot see the branches, and you can allow all accesses to branches inconditionally. J. R. Okajima ------------------------------------------------------------------------------
