Bug #9045: overlayfs breaks AppArmor

Bug #9045

overlayfs breaks AppArmor

Added by intrigeri 2015-03-10 20:54:06 . Updated 2017-01-02 17:33:17 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2015-03-10

Due date:

% Done:

100%

Feature Branch:

feature/8415-overlayfs-stretch

Type of work:

Code

Blueprint:

https://tails.boum.org/contribute/design/application_isolation/#overlayfs

Starter:

Affected tool:

Deliverable for:

Description

Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
[...]
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
[...]
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

Subtasks

History

#1 Updated by intrigeri 2015-03-10 21:04:41

Description updated
Status changed from New to Confirmed
Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs

#2 Updated by intrigeri 2015-07-13 03:49:46

Target version set to Sustainability_M1

#3 Updated by intrigeri 2015-08-11 01:54:07

Description updated

#4 Updated by intrigeri 2015-08-11 07:28:40

Feature Branch set to feature/8415-overlayfs

On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status). However, indeed they don’t seem to be effective: I could save a page into ~/.gnupg/ from Tor Browser.

#5 Updated by sajolida 2015-09-07 10:44:17

Target version changed from Sustainability_M1 to 2016

#6 Updated by intrigeri 2016-05-23 22:11:04

I’ve just pinged the upstream bug to ask for a timeline update. Let’s see what happens there before we decide something wrt. ~~Feature #10298~~ (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).

#7 Updated by BitingBird 2016-06-26 10:47:25

Status changed from Confirmed to In Progress
% Done changed from 0 to 10

#8 Updated by intrigeri 2016-08-20 10:53:00

Priority changed from Elevated to Normal
Target version deleted (~~2016~~)

Given we could do ~~Feature #10298~~ without migrating to overlayfs, we removed this from our roadmap at the summit this year.

#9 Updated by intrigeri 2017-01-01 11:24:27

Subgraph OS (live) uses overlayfs and enables AppArmor.

aa-status says that some processes (e.g. dhclient, NM and Tor) are confined.

I see some aliases set up:

alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
alias / -> /rw/,

I’ve started a feature/stretch ISO, dropped union=aufs (so the default, i.e. overlayfs, is used), added alias / -> /rw/,, added flags=(attach_disconnected) to the usr.bin.evince profile and it seems to behave as it should: Evince can open stuff in /usr, but not in ~/.gnupg. So it might be that adding this flag to all the profiles we ship would be enough.