Project

General

Profile

Bug #9045

Feature #8415: Migrate from aufs to overlayfs

overlayfs breaks AppArmor

Added by intrigeri over 4 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/10/2015
Due date:
% Done:

100%

Feature Branch:
feature/8415-overlayfs-stretch
Type of work:
Code
Starter:
Affected tool:

Description

Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
[...]
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
[...]
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

History

#1 Updated by intrigeri over 4 years ago

  • Description updated (diff)
  • Status changed from New to Confirmed
  • Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs

#2 Updated by intrigeri about 4 years ago

  • Target version set to Sustainability_M1

#3 Updated by intrigeri about 4 years ago

  • Description updated (diff)

#4 Updated by intrigeri about 4 years ago

  • Feature Branch set to feature/8415-overlayfs

On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status). However, indeed they don't seem to be effective: I could save a page into ~/.gnupg/ from Tor Browser.

#5 Updated by sajolida almost 4 years ago

  • Target version changed from Sustainability_M1 to 2016

#6 Updated by intrigeri about 3 years ago

I've just pinged the upstream bug to ask for a timeline update. Let's see what happens there before we decide something wrt. #10298 (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).

#7 Updated by BitingBird about 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#8 Updated by intrigeri about 3 years ago

  • Priority changed from Elevated to Normal
  • Target version deleted (2016)

Given we could do #10298 without migrating to overlayfs, we removed this from our roadmap at the summit this year.

#9 Updated by intrigeri over 2 years ago

Subgraph OS (live) uses overlayfs and enables AppArmor.

aa-status says that some processes (e.g. dhclient, NM and Tor) are confined.

I see some aliases set up:

alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
alias / -> /rw/,

I've started a feature/stretch ISO, dropped union=aufs (so the default, i.e. overlayfs, is used), added alias / -> /rw/,, added flags=(attach_disconnected) to the usr.bin.evince profile and it seems to behave as it should: Evince can open stuff in /usr, but not in ~/.gnupg. So it might be that adding this flag to all the profiles we ship would be enough.

#10 Updated by intrigeri over 2 years ago

  • Subject changed from overlayfs is broken with AppArmor to overlayfs breaks AppArmor

#11 Updated by intrigeri over 2 years ago

  • Feature Branch changed from feature/8415-overlayfs to feature/8415-overlayfs-stretch

#12 Updated by intrigeri over 2 years ago

  • Type of work changed from Wait to Code

#13 Updated by intrigeri over 2 years ago

It seems that the alias / -> /rm/ trick doesn't entirely work:

  • Pidgin is denied access to /rw/home/amnesia/...
  • Tor Browser is denied access to /rw/home/amnesia/.tor-browser/...

#14 Updated by intrigeri over 2 years ago

intrigeri wrote:

It seems that the alias / -> /rm/ trick doesn't entirely work:

52bdaf5ac6efeac6d6a0b43a6b454fd45cdc73fc should take care of that.

#15 Updated by intrigeri over 2 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 10 to 100

Test suite runs now look good, AppArmor-wise.

Also available in: Atom PDF