Upon a bit of further investigation, it's interesting to note that btrfs snapshots preserve ownership (i.e. btrfsctl -S test / --> test is owned by root:root just like /)
So, one workaround is the policy invariant "Any directories where a confined process can write to should only be granted owner read permissions", though this is a pretty subpar workaround... Even in a fairly restricted apparmor profile, as long as inherit- execute permissions are available to the btrfsctl binary,and write permissions exist to the snapshot destination, btrfs snapshotting will succeed. No further AA capabilities are required, which is a bit concerning. -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs -- universe-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/universe-bugs
