Commit 3cdeadfe authored by intrigeri's avatar intrigeri Committed by segfault
Browse files

Let live-boot expose its /live/overlay as /lib/live/mount/overlay (refs: #15146)

/live/overlay (in the context of the initramfs) is the tmpfs
where the read-write branch of our union rootfs lives.

With aufs, this call to umount failed, and then live-boot would run:

   mount -o move /live/overlay /root/lib/live/mount/overlay

As a result, this tmpfs mount was visible outside of the initramfs,
and our initramfs-pre-shutdown-hook could unmount it on shutdown,
which ensured the data stored in there was cleaned from memory.

But with overlayfs, for some reason this call to umount succeeds, even though the
overlayfs upper layer (/live/overlay/rw) is stored in this filesystem, which
shows that this tmpfs is still mounted. As a result, this tmpfs is not
visible anymore, and cannot be unmounted on shutdown, so the data stored
in there remains in memory, available to cold-boot attackers.

Let's not unmount this tmpfs and go back to the same behavior we had
with aufs.

This will probably require bringing back some AppArmor-related automated
tests, that were removed on the #8415 branch precisely because live-boot
did not expose the overlay branch:

  12404eb8
  c6541323
  a822c25f
  4ee7e8d0
parent 8dfa9933
......@@ -11,3 +11,10 @@ index 098111c..e1cfd15 100755
# Looking for persistence devices or files
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
@@ -360,5 +360,5 @@
# ensure that a potentially stray tmpfs gets removed
# otherways, initramfs-tools is unable to remove /live
# and fails to boot
- umount /live/overlay > /dev/null 2>&1 || true
+ # umount /live/overlay > /dev/null 2>&1 || true
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment