overlayfs breaks AppArmor (#9045) · Issues · tails / tails

overlayfs breaks AppArmor

Originally created by @intrigeri on #9045 (Redmine)

Reference: https://bugs.launchpad.net/apparmor/+bug/1408106

At March, 2015 AppArmor meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
darix: are the current issues documented somewhere?
jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
jjohansen: it affect more than just apparmor
[...]
jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
[...]
jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

Blueprint: https://tails.boum.org/contribute/design/application_isolation/#overlayfs

Feature Branch: feature/8415-overlayfs-stretch

Parent Task: #8415 (closed)

_Originally created by @intrigeri on [#9045 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/9045)_

Reference: <https://bugs.launchpad.net/apparmor/+bug/1408106>

At March, 2015 AppArmor
    meeting:

jjohansen: overlayfs is currently just broken, and we are going to be working with upstream to try to get it fixed
    darix: are the current issues documented somewhere?
    jjohansen: upstream has already begun working on fixing many of the issues involved we just need to make sure we are on top of it and providing them feedback, and maybe a patch or two if needed
    jjohansen: darix: only sort of in the lkml/fsdevel threads around the issues
    jjohansen: it affect more than just apparmor
    [...]
    jjohansen: to summarize, basically overlayfs took some short cuts and some places the hooks see the upper (overlayfs) dentry/vfsmnt
    jjohansen: and some places only see the lower dentry/vfsmnt (which is also a private clone mnt)
    tyhicks: darix: this is a decent placeholder bug to follow for the general overlayfs issue: https://bugs.launchpad.net/apparmor/+bug/1408106
    jjohansen: once the overlayfs issues are fixed we should be good with doing unioning via overlayfs
    intrigeri: be sure that I'll (have to) test it, including with multiple lower-layers
    [...]
    jjohansen: intrigeri: yeah we will have to test it too, there are several projects that want to use it

Blueprint: https://tails.boum.org/contribute/design/application_isolation/#overlayfs

Feature Branch: feature/8415-overlayfs-stretch

Parent Task: tails/tails#8415

Edited May 15, 2020 by intrigeri

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.