Bug #9045: overlayfs breaks AppArmor - Tails - Tails Ticket Tracker

Bug #9045

Feature #8415: Migrate from aufs to overlayfs

overlayfs breaks AppArmor

Added by intrigeri over 4 years ago. Updated over 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

03/10/2015

Due date:

% Done:

100%

Feature Branch:

feature/8415-overlayfs-stretch

Type of work:

Code

Blueprint:

https://tails.boum.org/contribute/design/application_isolation/#overlayfs

Starter:

Affected tool:

Description

Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
[...]
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
[...]
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

History

#1 Updated by intrigeri over 4 years ago

Description updated (diff)
Status changed from New to Confirmed
Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs

#2 Updated by intrigeri about 4 years ago

Target version set to Sustainability_M1

#3 Updated by intrigeri about 4 years ago

Description updated (diff)

#4 Updated by intrigeri about 4 years ago

Feature Branch set to feature/8415-overlayfs

On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status). However, indeed they don't seem to be effective: I could save a page into ~/.gnupg/ from Tor Browser.

#5 Updated by sajolida almost 4 years ago

Target version changed from Sustainability_M1 to 2016

#6 Updated by intrigeri about 3 years ago

I've just pinged the upstream bug to ask for a timeline update. Let's see what happens there before we decide something wrt. #10298 (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).

#7 Updated by BitingBird about 3 years ago

Status changed from Confirmed to In Progress
% Done changed from 0 to 10

#8 Updated by intrigeri about 3 years ago

Priority changed from Elevated to Normal
Target version deleted (~~2016~~)

Given we could do #10298 without migrating to overlayfs, we removed this from our roadmap at the summit this year.

#9 Updated by intrigeri over 2 years ago

Subgraph OS (live) uses overlayfs and enables AppArmor.

aa-status says that some processes (e.g. dhclient, NM and Tor) are confined.

I see some aliases set up:

alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/filesystem.squashfs/,
alias / -> /rw/,

I've started a feature/stretch ISO, dropped union=aufs (so the default, i.e. overlayfs, is used), added alias / -> /rw/,, added flags=(attach_disconnected) to the usr.bin.evince profile and it seems to behave as it should: Evince can open stuff in /usr, but not in ~/.gnupg. So it might be that adding this flag to all the profiles we ship would be enough.