touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #45567
[Bug 1408106] [NEW] allow defining the attach root for attach_disconnected
Public bug reported:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include <tunables/global>
profile foo {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable (investigation is needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy
** Affects: apparmor
Importance: Critical
Assignee: John Johansen (jjohansen)
Status: In Progress
** Affects: apparmor (Ubuntu)
Importance: Critical
Assignee: Steve Beattie (sbeattie)
Status: Confirmed
** Affects: linux (Ubuntu)
Importance: Critical
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Tags: aa-kernel aa-parser aa-tools
** Description changed:
With the following use of overlayfs, we get a disconnected path:
- $ cat ./profile
+ $ cat ./profile
#include <tunables/global>
profile foo {
- #include <abstractions/base>
+ #include <abstractions/base>
- capability sys_admin,
- capability sys_chroot,
- mount,
- pivot_root,
+ capability sys_admin,
+ capability sys_chroot,
+ mount,
+ pivot_root,
}
-
- $ cat ./overlay.c
+ $ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
- int i = 0;
- int len = 0;
- int ret = 0;
- char* options;
+ int i = 0;
+ int len = 0;
+ int ret = 0;
+ char* options;
- if (geteuid())
- unshare(CLONE_NEWUSER);
- unshare(CLONE_NEWNS);
+ if (geteuid())
+ unshare(CLONE_NEWUSER);
+ unshare(CLONE_NEWNS);
- for (i = 1; i < argc; i++) {
- if (i == 1) {
- len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
- options = alloca(len);
- ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
- }
- else {
- len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
- options = alloca(len);
- ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]);
- }
+ for (i = 1; i < argc; i++) {
+ if (i == 1) {
+ len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
+ options = alloca(len);
+ ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
+ }
+ else {
+ len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
+ options = alloca(len);
+ ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]);
+ }
- mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
- }
+ mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
+ }
- chdir("/mnt");
- pivot_root(".", ".");
- chroot(".");
+ chdir("/mnt");
+ pivot_root(".", ".");
+ chroot(".");
- chdir("/");
- execl("/bin/bash", "/bin/bash", NULL);
+ chdir("/");
+ execl("/bin/bash", "/bin/bash", NULL);
}
-
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
-
- With the above, the expectation was for the denial to be /tmp/bin/bash. There are three ways forward:
+ With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable (investigation is needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
- 3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/tmp) {} such that '/bin/bash' maps to '/tmp/bin/bash'.
+ 3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
- * is doable in a short time frame,
- * is generally useful even when the proper fix is in place
- * would help lxc in a few cases
- * would be sufficient for snappy
+ * is doable in a short time frame,
+ * is generally useful even when the proper fix is in place
+ * would help lxc in a few cases
+ * would be sufficient for snappy
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => In Progress
** Changed in: apparmor
Importance: Undecided => Critical
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor (Ubuntu)
Status: In Progress => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: John Johansen (jjohansen) => Steve Beattie (sbeattie)
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
allow defining the attach root for attach_disconnected
Status in AppArmor Linux application security framework:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include <tunables/global>
profile foo {
#include <abstractions/base>
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include <alloca.h>
#include <linux/sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt", argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400 audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255 comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback, but this will take a while, may ultimately be unachievable (investigation is needed) and is likely non-upstreamable
2. we could rely on the fact that overlayfs creates a private unshared submount, and provide a way to not mediate the path when that is present, and tagged. This would take a bit of time, and might be the preferred method over 1 longer term
3. we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'.
While attach_disconnected should in general be discouraged, this method:
* is doable in a short time frame,
* is generally useful even when the proper fix is in place
* would help lxc in a few cases
* would be sufficient for snappy
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
Follow ups
References