I would suggest to solve this problem this way: - in aufs, do not change anything - in aufs documentation, provide some warning that apparmor must be configured properly to allow access to files on all branches.
In an ideal case, somebody who understands how to configure apparmor could provide a profile configuration for aufs, which will allow aufs to access all files, and this configuration could be either part of aufs sources or could be noted in documentation. Unfortunately I do not know how to configure apparmor so disabling it entirely is easier for me now. Tomas M > There may exist several options and variations to address this problem. > - modify the apparmor's policy to allow the branch path. > - add a parameter to VFS::open_body() which will be > + to skip calling apparmor(). > + to give a non-converted path to apparmor(). > And aufs::aufs_open() sets the parameter. > > The first one looks good, but it may be hard to modify the large policy > files for users. > The second one (including its variation) doesn't look good, since it > blocks the narural behaviour of AppArmor or it must be redundant to test > the same path twice. > > For me, there is one thing left to investigate. The BUG msg in > Christoph's kernel log file. > > > J. R. Okajima >
