This problem has surfaced again with recent MAAS Ubuntu images. One report in bug 1701297. I have information about at least two other end users hit by the problem.
Adding a workaround by setting apparmor=0 kernel parameter in MAAS 2.2 will not help users that are running previous versions. @jdstrand Would you care to reference the other bugs you created from your investigation? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1408106 Title: attach_disconnected not sufficient for overlayfs Status in AppArmor: Invalid Status in MAAS: Incomplete Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Invalid Bug description: With the following use of overlayfs, we get a disconnected path: $ cat ./profile #include <tunables/global> profile foo { #include <abstractions/base> capability sys_admin, capability sys_chroot, mount, pivot_root, } $ cat ./overlay.c #include <alloca.h> #include <linux/sched.h> #include <stdio.h> #include <string.h> #include <sys/mount.h> #include <fcntl.h> #include <unistd.h> int main(int argc, char* argv[]) { int i = 0; int len = 0; int ret = 0; char* options; if (geteuid()) unshare(CLONE_NEWUSER); unshare(CLONE_NEWNS); for (i = 1; i < argc; i++) { if (i == 1) { len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2; options = alloca(len); ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]); } else { len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2; options = alloca(len); ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]); } mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options); } chdir("/mnt"); pivot_root(".", "."); chroot("."); chdir("/"); execl("/bin/bash", "/bin/bash", NULL); } $ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp [255] ... Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward: 1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable. UPDATE: upstream is currently working on this and Ubuntu will engage with them 2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term 3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
