Bug #9045

overlayfs breaks AppArmor

Added by intrigeri 2015-03-10 20:54:06 . Updated 2017-01-02 17:33:17 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:
Deliverable for:


Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it



#1 Updated by intrigeri 2015-03-10 21:04:41

  • Description updated
  • Status changed from New to Confirmed
  • Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs

#2 Updated by intrigeri 2015-07-13 03:49:46

  • Target version set to Sustainability_M1

#3 Updated by intrigeri 2015-08-11 01:54:07

  • Description updated

#4 Updated by intrigeri 2015-08-11 07:28:40

  • Feature Branch set to feature/8415-overlayfs

On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status). However, indeed they don’t seem to be effective: I could save a page into ~/.gnupg/ from Tor Browser.

#5 Updated by sajolida 2015-09-07 10:44:17

  • Target version changed from Sustainability_M1 to 2016

#6 Updated by intrigeri 2016-05-23 22:11:04

I’ve just pinged the upstream bug to ask for a timeline update. Let’s see what happens there before we decide something wrt. Feature #10298 (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).

#7 Updated by BitingBird 2016-06-26 10:47:25

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#8 Updated by intrigeri 2016-08-20 10:53:00

  • Priority changed from Elevated to Normal
  • Target version deleted (2016)

Given we could do Feature #10298 without migrating to overlayfs, we removed this from our roadmap at the summit this year.

#9 Updated by intrigeri 2017-01-01 11:24:27

Subgraph OS (live) uses overlayfs and enables AppArmor.

aa-status says that some processes (e.g. dhclient, NM and Tor) are confined.

I see some aliases set up:

alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
alias / -> /rw/,

I’ve started a feature/stretch ISO, dropped union=aufs (so the default, i.e. overlayfs, is used), added alias / -> /rw/,, added flags=(attach_disconnected) to the usr.bin.evince profile and it seems to behave as it should: Evince can open stuff in /usr, but not in ~/.gnupg. So it might be that adding this flag to all the profiles we ship would be enough.

#10 Updated by intrigeri 2017-01-01 18:26:38

  • Subject changed from overlayfs is broken with AppArmor to overlayfs breaks AppArmor

#11 Updated by intrigeri 2017-01-02 09:40:12

  • Feature Branch changed from feature/8415-overlayfs to feature/8415-overlayfs-stretch

#12 Updated by intrigeri 2017-01-02 09:40:54

  • Type of work changed from Wait to Code

#13 Updated by intrigeri 2017-01-02 11:17:44

It seems that the alias / -> /rm/ trick doesn’t entirely work:

  • Pidgin is denied access to /rw/home/amnesia/...
  • Tor Browser is denied access to /rw/home/amnesia/.tor-browser/...

#14 Updated by intrigeri 2017-01-02 11:55:16

intrigeri wrote:
> It seems that the alias / -> /rm/ trick doesn’t entirely work:

commit:52bdaf5ac6efeac6d6a0b43a6b454fd45cdc73fc should take care of that.

#15 Updated by intrigeri 2017-01-02 17:33:17

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 10 to 100

Test suite runs now look good, AppArmor-wise.