]>
Commit | Line | Data |
---|---|---|
bc7e56ac | 1 | From 8c695baaff8d18a87233ffc119e8fd0495819dbe Mon Sep 17 00:00:00 2001 |
0d5c2e05 FG |
2 | From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> |
3 | Date: Wed, 9 Nov 2016 09:14:26 +0100 | |
c44ec9ce | 4 | Subject: [PATCH 03/13] deny rw mounting of /sys and /proc |
0d5c2e05 FG |
5 | |
6 | this would allow root in a privileged container to change | |
7 | the permissions of /sys on the host, which could lock out | |
8 | non-root users. | |
9 | ||
10 | if a rw /sys is desired, set "lxc.mount.auto" accordingly | |
11 | --- | |
12 | config/apparmor/abstractions/container-base | 6 +++++- | |
13 | config/apparmor/abstractions/container-base.in | 6 +++++- | |
14 | 2 files changed, 10 insertions(+), 2 deletions(-) | |
15 | ||
16 | diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base | |
bc7e56ac | 17 | index a5e6c35f..4c3a4ba8 100644 |
0d5c2e05 FG |
18 | --- a/config/apparmor/abstractions/container-base |
19 | +++ b/config/apparmor/abstractions/container-base | |
bc7e56ac | 20 | @@ -82,7 +82,6 @@ |
0d5c2e05 FG |
21 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, |
22 | mount fstype=proc -> /proc/, | |
23 | mount fstype=sysfs -> /sys/, | |
24 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
25 | deny /sys/firmware/efi/efivars/** rwklx, | |
26 | deny /sys/kernel/security/** rwklx, | |
27 | mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, | |
bc7e56ac | 28 | @@ -91,6 +90,11 @@ |
0d5c2e05 FG |
29 | # deny reads from debugfs |
30 | deny /sys/kernel/debug/{,**} rwklx, | |
31 | ||
32 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
33 | + deny mount -> /proc/, | |
34 | + deny mount -> /sys/, | |
35 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
36 | + | |
37 | # allow paths to be made slave, shared, private or unbindable | |
38 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
39 | # mount options=(rw,make-slave) -> **, | |
40 | diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in | |
bc7e56ac | 41 | index 16529bbf..54f9ddf0 100644 |
0d5c2e05 FG |
42 | --- a/config/apparmor/abstractions/container-base.in |
43 | +++ b/config/apparmor/abstractions/container-base.in | |
bc7e56ac | 44 | @@ -82,7 +82,6 @@ |
0d5c2e05 FG |
45 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, |
46 | mount fstype=proc -> /proc/, | |
47 | mount fstype=sysfs -> /sys/, | |
48 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
49 | deny /sys/firmware/efi/efivars/** rwklx, | |
50 | deny /sys/kernel/security/** rwklx, | |
51 | mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, | |
bc7e56ac | 52 | @@ -91,6 +90,11 @@ |
0d5c2e05 FG |
53 | # deny reads from debugfs |
54 | deny /sys/kernel/debug/{,**} rwklx, | |
55 | ||
56 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
57 | + deny mount -> /proc/, | |
58 | + deny mount -> /sys/, | |
59 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
60 | + | |
61 | # allow paths to be made slave, shared, private or unbindable | |
62 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
63 | # mount options=(rw,make-slave) -> **, | |
64 | -- | |
7395ab25 | 65 | 2.11.0 |
0d5c2e05 | 66 |