[Bug 925028] Re: apparmor breaks lxc-start-ephemeral

[Serge Hallyn]

There is apparently still a bug in overlayfs with apparmor.  If I do

mkdir /tmp/lower
mount -t overlayfs -o rw,upperdir=/tmp/lower,lowerdir=/ overlay /mnt

I can ls /mnt and see the overlay of / jsut fine.  Then I create
/etc/apparmor.d/sergebashtest which contains:


===============
#include <tunables/global>

/bin/bash2 flags=(attach_disconnected) {
  network,

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability setgid,
  capability setuid,
  capability setpcap,
  capability linux_immutable,
  capability net_bind_service,
  capability net_broadcast,
  capability net_admin,
  capability net_raw,
  capability ipc_lock,
  capability ipc_owner,
  capability sys_module,
  capability sys_rawio,
  capability sys_chroot,
  capability sys_ptrace,
  capability sys_pacct,
  capability sys_admin,
  capability sys_boot,
  capability sys_nice,
  capability sys_resource,
  capability sys_time,
  capability sys_tty_config,
  capability mknod,
  capability lease,
  capability audit_write,
  capability audit_control,
  capability setfcap,
  capability mac_override,
  capability mac_admin,
  capability syslog,

  / rwklix,
  /** rwklix,

}

==================
and insert that with 'apparmor_parser /etc/apparmor.d/sergebashtest, and cp /bin/bash /bin/bash2.

Then I do /bin/bash2  and ls /mnt from there, and get:

root at sergelap:/etc/apparmor.d# ls /mnt
ls: cannot access /mnt: Invalid argument

though I can ls /tmp/lower and / just fine.


** Also affects: linux (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/925028

Title:
  apparmor breaks lxc-start-ephemeral

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/925028/+subscriptions