Project

General

Profile

Bug #9045

Feature #8415: Migrate from aufs to overlayfs

overlayfs breaks AppArmor

Added by intrigeri over 4 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/10/2015
Due date:
% Done:

100%

Feature Branch:
feature/8415-overlayfs-stretch
Type of work:
Code
Starter:
Affected tool:

Description

Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
[...]
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
[...]
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

Associated revisions

Revision 28f17d93 (diff)
Added by segfault 13 days ago

Fix Tor Browser AppArmor profile not tweaked for overlayfs (refs: #9045)

History

#1 Updated by intrigeri over 4 years ago

  • Description updated (diff)
  • Status changed from New to Confirmed
  • Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs

#2 Updated by intrigeri over 4 years ago

  • Target version set to Sustainability_M1

#3 Updated by intrigeri over 4 years ago

  • Description updated (diff)

#4 Updated by intrigeri over 4 years ago

  • Feature Branch set to feature/8415-overlayfs

On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status). However, indeed they don't seem to be effective: I could save a page into ~/.gnupg/ from Tor Browser.

#5 Updated by sajolida about 4 years ago

  • Target version changed from Sustainability_M1 to 2016

#6 Updated by intrigeri over 3 years ago

I've just pinged the upstream bug to ask for a timeline update. Let's see what happens there before we decide something wrt. #10298 (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).

#7 Updated by BitingBird over 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#8 Updated by intrigeri over 3 years ago

  • Priority changed from Elevated to Normal
  • Target version deleted (2016)

Given we could do #10298 without migrating to overlayfs, we removed this from our roadmap at the summit this year.

#9 Updated by intrigeri almost 3 years ago

Subgraph OS (live) uses overlayfs and enables AppArmor.

aa-status says that some processes (e.g. dhclient, NM and Tor) are confined.

I see some aliases set up:

alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
alias / -> /rw/,

I've started a feature/stretch ISO, dropped union=aufs (so the default, i.e. overlayfs, is used), added alias / -> /rw/,, added flags=(attach_disconnected) to the usr.bin.evince profile and it seems to behave as it should: Evince can open stuff in /usr, but not in ~/.gnupg. So it might be that adding this flag to all the profiles we ship would be enough.

#10 Updated by intrigeri almost 3 years ago

  • Subject changed from overlayfs is broken with AppArmor to overlayfs breaks AppArmor

#11 Updated by intrigeri almost 3 years ago

  • Feature Branch changed from feature/8415-overlayfs to feature/8415-overlayfs-stretch

#12 Updated by intrigeri almost 3 years ago

  • Type of work changed from Wait to Code

#13 Updated by intrigeri almost 3 years ago

It seems that the alias / -> /rm/ trick doesn't entirely work:

  • Pidgin is denied access to /rw/home/amnesia/...
  • Tor Browser is denied access to /rw/home/amnesia/.tor-browser/...

#14 Updated by intrigeri almost 3 years ago

intrigeri wrote:

It seems that the alias / -> /rm/ trick doesn't entirely work:

52bdaf5ac6efeac6d6a0b43a6b454fd45cdc73fc should take care of that.

#15 Updated by intrigeri almost 3 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 10 to 100

Test suite runs now look good, AppArmor-wise.

Also available in: Atom PDF