]>
Commit | Line | Data |
---|---|---|
f39a178a | 1 | From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001 |
0d5c2e05 FG |
2 | From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> |
3 | Date: Wed, 9 Nov 2016 09:14:26 +0100 | |
f81e43ae | 4 | Subject: [PATCH 04/10] deny rw mounting of /sys and /proc |
0d5c2e05 FG |
5 | |
6 | this would allow root in a privileged container to change | |
7 | the permissions of /sys on the host, which could lock out | |
8 | non-root users. | |
9 | ||
10 | if a rw /sys is desired, set "lxc.mount.auto" accordingly | |
11 | --- | |
12 | config/apparmor/abstractions/container-base | 6 +++++- | |
13 | config/apparmor/abstractions/container-base.in | 6 +++++- | |
14 | 2 files changed, 10 insertions(+), 2 deletions(-) | |
15 | ||
16 | diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base | |
7395ab25 | 17 | index 06290de2..779aadd4 100644 |
0d5c2e05 FG |
18 | --- a/config/apparmor/abstractions/container-base |
19 | +++ b/config/apparmor/abstractions/container-base | |
20 | @@ -84,7 +84,6 @@ | |
21 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, | |
22 | mount fstype=proc -> /proc/, | |
23 | mount fstype=sysfs -> /sys/, | |
24 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
25 | deny /sys/firmware/efi/efivars/** rwklx, | |
26 | deny /sys/kernel/security/** rwklx, | |
27 | mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, | |
28 | @@ -93,6 +92,11 @@ | |
29 | # deny reads from debugfs | |
30 | deny /sys/kernel/debug/{,**} rwklx, | |
31 | ||
32 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
33 | + deny mount -> /proc/, | |
34 | + deny mount -> /sys/, | |
35 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
36 | + | |
37 | # allow paths to be made slave, shared, private or unbindable | |
38 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
39 | # mount options=(rw,make-slave) -> **, | |
40 | diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in | |
7395ab25 | 41 | index 5bc9b28b..5c8e441f 100644 |
0d5c2e05 FG |
42 | --- a/config/apparmor/abstractions/container-base.in |
43 | +++ b/config/apparmor/abstractions/container-base.in | |
44 | @@ -84,7 +84,6 @@ | |
45 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, | |
46 | mount fstype=proc -> /proc/, | |
47 | mount fstype=sysfs -> /sys/, | |
48 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
49 | deny /sys/firmware/efi/efivars/** rwklx, | |
50 | deny /sys/kernel/security/** rwklx, | |
51 | mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, | |
52 | @@ -93,6 +92,11 @@ | |
53 | # deny reads from debugfs | |
54 | deny /sys/kernel/debug/{,**} rwklx, | |
55 | ||
56 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
57 | + deny mount -> /proc/, | |
58 | + deny mount -> /sys/, | |
59 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
60 | + | |
61 | # allow paths to be made slave, shared, private or unbindable | |
62 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
63 | # mount options=(rw,make-slave) -> **, | |
64 | -- | |
7395ab25 | 65 | 2.11.0 |
0d5c2e05 | 66 |