Bug #9045
Feature #8415: Migrate from aufs to overlayfs
overlayfs breaks AppArmor
100%
Description
Reference: https://bugs.launchpad.net/apparmor/+bug/1408106
At March, 2015 AppArmor meeting:
jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed darix: are the current issues documented somewhere? jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues jjohansen: it affect more than just apparmor [...] jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt) tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106 jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers [...] jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it
Associated revisions
Fix Tor Browser AppArmor profile not tweaked for overlayfs (refs: #9045)
History
#1 Updated by intrigeri over 4 years ago
- Description updated (diff)
- Status changed from New to Confirmed
- Blueprint set to https://tails.boum.org/contribute/design/application_isolation/#overlayfs
#2 Updated by intrigeri over 4 years ago
- Target version set to Sustainability_M1
#3 Updated by intrigeri over 4 years ago
- Description updated (diff)
#4 Updated by intrigeri over 4 years ago
- Feature Branch set to feature/8415-overlayfs
On current feature/8415-overlayfs, the profiles for Vidalia, Tor Browser and cupsd are loaded and enforced (so say aa-status
). However, indeed they don't seem to be effective: I could save a page into ~/.gnupg/
from Tor Browser.
#5 Updated by sajolida about 4 years ago
- Target version changed from Sustainability_M1 to 2016
#6 Updated by intrigeri over 3 years ago
I've just pinged the upstream bug to ask for a timeline update. Let's see what happens there before we decide something wrt. #10298 (building aufs out-of-tree modules vs. waiting for AppArmor to support overlayfs).
#7 Updated by BitingBird over 3 years ago
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
#8 Updated by intrigeri over 3 years ago
- Priority changed from Elevated to Normal
- Target version deleted (
2016)
Given we could do #10298 without migrating to overlayfs, we removed this from our roadmap at the summit this year.
#9 Updated by intrigeri almost 3 years ago
Subgraph OS (live) uses overlayfs and enables AppArmor.
aa-status
says that some processes (e.g. dhclient, NM and Tor) are confined.
I see some aliases set up:
alias / -> /lib/live/mount/overlay/, alias / -> /lib/live/mount/rootfs/filesystem.squashfs/, alias / -> /rw/,
I've started a feature/stretch ISO, dropped union=aufs
(so the default, i.e. overlayfs, is used), added alias / -> /rw/,
, added flags=(attach_disconnected)
to the usr.bin.evince
profile and it seems to behave as it should: Evince can open stuff in /usr
, but not in ~/.gnupg
. So it might be that adding this flag to all the profiles we ship would be enough.
#10 Updated by intrigeri almost 3 years ago
- Subject changed from overlayfs is broken with AppArmor to overlayfs breaks AppArmor
#11 Updated by intrigeri almost 3 years ago
- Feature Branch changed from feature/8415-overlayfs to feature/8415-overlayfs-stretch
#12 Updated by intrigeri almost 3 years ago
- Type of work changed from Wait to Code
#13 Updated by intrigeri almost 3 years ago
It seems that the alias / -> /rm/
trick doesn't entirely work:
- Pidgin is denied access to
/rw/home/amnesia/...
- Tor Browser is denied access to
/rw/home/amnesia/.tor-browser/...
#14 Updated by intrigeri almost 3 years ago
intrigeri wrote:
It seems that the
alias / -> /rm/
trick doesn't entirely work:
52bdaf5ac6efeac6d6a0b43a6b454fd45cdc73fc should take care of that.
#15 Updated by intrigeri almost 3 years ago
- Status changed from In Progress to Resolved
- Assignee deleted (
intrigeri) - % Done changed from 10 to 100
Test suite runs now look good, AppArmor-wise.