osutil: workaround overlayfs on ubuntu 18.10

[zyga]

This patch adds a workaround for apparmor and overlayfs not playing
together on the ephemeral Ubuntu 18.10 server images. On such images
there's an overlayfs mounted over / with the upper directory in
/media/root-rw/overlay. Snapd detects this and generates a directive
with read access to said directory. At runtime we get a denial, however,
one that looks like this:

[ 1588.858154] audit: type=1400 audit(1539338016.165:576):
apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine"
name="/overlay/" pid=8735 comm="snap-confine"
profile="/usr/lib/snapd/snap-confine" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

As we can see apparmor decided to resolve the path to "/overlay/" (which
notably does not exist in the filesystem at all). The reason for that is
not understood but as a special-case workaround we detect this and
return "/overlay" instead.

Bug-Link: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1797218
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[jdstrand]

Approving but please adjust the comments. Feel free to add more precise details if desired.

[jdstrand]

Please remove this editorial comment.

[jdstrand]

Please update this comment. Something like the following:

// On the Ubuntu server ephemeral image, '/' is setup via
// overlayroot (on at least 18.10), which uses a combination
// of overlayfs and chroot. This differs from the livecd setup
// so special case the detection logic to look for the known
// upperdir for this configuration, and return the required
// path. See LP: #1797218 for details.

[smoser]

For reference, here is /proc/mounts from an overlay root system:
http://paste.ubuntu.com/p/Tm5GfhG9rM/

The relevant mounts are below. I suspect that '/overlay' is from '/media/root-rw/overlay'.

/dev/sda1 /media/root-ro ext4 ro,relatime 0 0
tmpfs-root /media/root-rw tmpfs rw,relatime 0 0
overlayroot / overlay rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0

The code that does that is overlayroot/scripts/init-bottom/overlayroot
those mounts are made and then 'mount --move' is done

[smoser]

I think the bug is actually in the general reading of /proc/mounts, specifically here. It assumes that the source (fs_spec per fstab(5)) is a directory path ('/cow'). That isn't really guaranteed and is really just a happenstance of the live-cd setup.

The real fix I think would be to read upper-dir and traverse backwards through /proc/mounts to find what other mounts (specifically fs_file per fstab(5)) that upper is on.

[smoser]

It may help you to have a more specific comment here.

It's not "Ubuntu server" that does this.
Its 'overlayroot' (package) that sets things up this way.

overlayroot package is configured by kernel command line or /etc/overlayroot.conf or /etc/overlayroot.local.conf in all supported Ubuntu. The package is installed by default in Ubuntu Server but is available in Ubuntu since 12.04.

[smoser]

Also just note that the 'overlay' portion of '/media/root-rw/overlay' is configurable via overlayroot.conf or kernel command line. overlayroot=tmpfs:dir=/mydir . dir defaults to '/overlay'.

[smoser]

no chroot us used. pivot is done into the rootfs from the initramfs, but that is the common path of initramfs.

[smoser]

reference 'overlayroot' here rather than 'Ubuntu 18.10 server release'.

[raharper]

Could you expand on why returning /overlay resolves the issue? I would have expected that it should return the complete upperdir path.

[zyga]

@raharper because (probably due to pivot_root) this is what the apparmor denial specifies. For whatever reason apparmor chooses to use /overlay we just match that behaviour.