]> git.proxmox.com Git - lxc.git/blob - debian/patches/extra/0004-update-apparmor-profile.patch
projects / lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 3.1.0-62
[lxc.git] / debian / patches / extra / 0004-update-apparmor-profile.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Fri, 2 Aug 2019 12:57:42 +0200
4 Subject: [PATCH] update apparmor profile
5
6 based on changes to lxd
7
8 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
9 ---
10 src/lxc/lsm/apparmor.c | 235 ++++++++++++++++++++++++++++++++++++++---
11 1 file changed, 219 insertions(+), 16 deletions(-)
12
13 diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
14 index e32b12531..6e7c2494d 100644
15 --- a/src/lxc/lsm/apparmor.c
16 +++ b/src/lxc/lsm/apparmor.c
17 @@ -149,6 +149,187 @@ static const char AA_PROFILE_BASE[] =
18 "# mount options=(rw,make-unbindable) -> **,\n"
19 "# mount options=(rw,make-runbindable) -> **,\n"
20 "\n"
21 +"# Allow limited modification of mount propagation\n"
22 +" mount options=(rw,make-slave) -> /,\n"
23 +" mount options=(rw,make-rslave) -> /,\n"
24 +" mount options=(rw,make-shared) -> /,\n"
25 +" mount options=(rw,make-rshared) -> /,\n"
26 +" mount options=(rw,make-private) -> /,\n"
27 +" mount options=(rw,make-rprivate) -> /,\n"
28 +" mount options=(rw,make-unbindable) -> /,\n"
29 +" mount options=(rw,make-runbindable) -> /,\n"
30 +"\n"
31 +" # allow various ro-bind-*re*-mounts\n"
32 +" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
33 +" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
34 +" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
35 +" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
36 +" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
37 +" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
38 +" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
39 +" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
40 +" mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
41 +" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
42 +" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
43 +" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
44 +" mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
45 +" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
46 +" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
47 +" mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
48 +"\n"
49 +" mount options=(ro,remount,bind,nodev) -> /[^spd]*{,/**},\n"
50 +" mount options=(ro,remount,bind,nodev) -> /d[^e]*{,/**},\n"
51 +" mount options=(ro,remount,bind,nodev) -> /de[^v]*{,/**},\n"
52 +" mount options=(ro,remount,bind,nodev) -> /dev/.[^l]*{,/**},\n"
53 +" mount options=(ro,remount,bind,nodev) -> /dev/.l[^x]*{,/**},\n"
54 +" mount options=(ro,remount,bind,nodev) -> /dev/.lx[^c]*{,/**},\n"
55 +" mount options=(ro,remount,bind,nodev) -> /dev/.lxc?*{,/**},\n"
56 +" mount options=(ro,remount,bind,nodev) -> /dev/[^.]*{,/**},\n"
57 +" mount options=(ro,remount,bind,nodev) -> /dev?*{,/**},\n"
58 +" mount options=(ro,remount,bind,nodev) -> /p[^r]*{,/**},\n"
59 +" mount options=(ro,remount,bind,nodev) -> /pr[^o]*{,/**},\n"
60 +" mount options=(ro,remount,bind,nodev) -> /pro[^c]*{,/**},\n"
61 +" mount options=(ro,remount,bind,nodev) -> /proc?*{,/**},\n"
62 +" mount options=(ro,remount,bind,nodev) -> /s[^y]*{,/**},\n"
63 +" mount options=(ro,remount,bind,nodev) -> /sy[^s]*{,/**},\n"
64 +" mount options=(ro,remount,bind,nodev) -> /sys?*{,/**},\n"
65 +"\n"
66 +" mount options=(ro,remount,bind,nodev,nosuid) -> /[^spd]*{,/**},\n"
67 +" mount options=(ro,remount,bind,nodev,nosuid) -> /d[^e]*{,/**},\n"
68 +" mount options=(ro,remount,bind,nodev,nosuid) -> /de[^v]*{,/**},\n"
69 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.[^l]*{,/**},\n"
70 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.l[^x]*{,/**},\n"
71 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lx[^c]*{,/**},\n"
72 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lxc?*{,/**},\n"
73 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/[^.]*{,/**},\n"
74 +" mount options=(ro,remount,bind,nodev,nosuid) -> /dev?*{,/**},\n"
75 +" mount options=(ro,remount,bind,nodev,nosuid) -> /p[^r]*{,/**},\n"
76 +" mount options=(ro,remount,bind,nodev,nosuid) -> /pr[^o]*{,/**},\n"
77 +" mount options=(ro,remount,bind,nodev,nosuid) -> /pro[^c]*{,/**},\n"
78 +" mount options=(ro,remount,bind,nodev,nosuid) -> /proc?*{,/**},\n"
79 +" mount options=(ro,remount,bind,nodev,nosuid) -> /s[^y]*{,/**},\n"
80 +" mount options=(ro,remount,bind,nodev,nosuid) -> /sy[^s]*{,/**},\n"
81 +" mount options=(ro,remount,bind,nodev,nosuid) -> /sys?*{,/**},\n"
82 +"\n"
83 +" mount options=(ro,remount,bind,noexec) -> /[^spd]*{,/**},\n"
84 +" mount options=(ro,remount,bind,noexec) -> /d[^e]*{,/**},\n"
85 +" mount options=(ro,remount,bind,noexec) -> /de[^v]*{,/**},\n"
86 +" mount options=(ro,remount,bind,noexec) -> /dev/.[^l]*{,/**},\n"
87 +" mount options=(ro,remount,bind,noexec) -> /dev/.l[^x]*{,/**},\n"
88 +" mount options=(ro,remount,bind,noexec) -> /dev/.lx[^c]*{,/**},\n"
89 +" mount options=(ro,remount,bind,noexec) -> /dev/.lxc?*{,/**},\n"
90 +" mount options=(ro,remount,bind,noexec) -> /dev/[^.]*{,/**},\n"
91 +" mount options=(ro,remount,bind,noexec) -> /dev?*{,/**},\n"
92 +" mount options=(ro,remount,bind,noexec) -> /p[^r]*{,/**},\n"
93 +" mount options=(ro,remount,bind,noexec) -> /pr[^o]*{,/**},\n"
94 +" mount options=(ro,remount,bind,noexec) -> /pro[^c]*{,/**},\n"
95 +" mount options=(ro,remount,bind,noexec) -> /proc?*{,/**},\n"
96 +" mount options=(ro,remount,bind,noexec) -> /s[^y]*{,/**},\n"
97 +" mount options=(ro,remount,bind,noexec) -> /sy[^s]*{,/**},\n"
98 +" mount options=(ro,remount,bind,noexec) -> /sys?*{,/**},\n"
99 +"\n"
100 +" mount options=(ro,remount,bind,noexec,nodev) -> /[^spd]*{,/**},\n"
101 +" mount options=(ro,remount,bind,noexec,nodev) -> /d[^e]*{,/**},\n"
102 +" mount options=(ro,remount,bind,noexec,nodev) -> /de[^v]*{,/**},\n"
103 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
104 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
105 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
106 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
107 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev/[^.]*{,/**},\n"
108 +" mount options=(ro,remount,bind,noexec,nodev) -> /dev?*{,/**},\n"
109 +" mount options=(ro,remount,bind,noexec,nodev) -> /p[^r]*{,/**},\n"
110 +" mount options=(ro,remount,bind,noexec,nodev) -> /pr[^o]*{,/**},\n"
111 +" mount options=(ro,remount,bind,noexec,nodev) -> /pro[^c]*{,/**},\n"
112 +" mount options=(ro,remount,bind,noexec,nodev) -> /proc?*{,/**},\n"
113 +" mount options=(ro,remount,bind,noexec,nodev) -> /s[^y]*{,/**},\n"
114 +" mount options=(ro,remount,bind,noexec,nodev) -> /sy[^s]*{,/**},\n"
115 +" mount options=(ro,remount,bind,noexec,nodev) -> /sys?*{,/**},\n"
116 +"\n"
117 +" mount options=(ro,remount,bind,nosuid) -> /[^spd]*{,/**},\n"
118 +" mount options=(ro,remount,bind,nosuid) -> /d[^e]*{,/**},\n"
119 +" mount options=(ro,remount,bind,nosuid) -> /de[^v]*{,/**},\n"
120 +" mount options=(ro,remount,bind,nosuid) -> /dev/.[^l]*{,/**},\n"
121 +" mount options=(ro,remount,bind,nosuid) -> /dev/.l[^x]*{,/**},\n"
122 +" mount options=(ro,remount,bind,nosuid) -> /dev/.lx[^c]*{,/**},\n"
123 +" mount options=(ro,remount,bind,nosuid) -> /dev/.lxc?*{,/**},\n"
124 +" mount options=(ro,remount,bind,nosuid) -> /dev/[^.]*{,/**},\n"
125 +" mount options=(ro,remount,bind,nosuid) -> /dev?*{,/**},\n"
126 +" mount options=(ro,remount,bind,nosuid) -> /p[^r]*{,/**},\n"
127 +" mount options=(ro,remount,bind,nosuid) -> /pr[^o]*{,/**},\n"
128 +" mount options=(ro,remount,bind,nosuid) -> /pro[^c]*{,/**},\n"
129 +" mount options=(ro,remount,bind,nosuid) -> /proc?*{,/**},\n"
130 +" mount options=(ro,remount,bind,nosuid) -> /s[^y]*{,/**},\n"
131 +" mount options=(ro,remount,bind,nosuid) -> /sy[^s]*{,/**},\n"
132 +" mount options=(ro,remount,bind,nosuid) -> /sys?*{,/**},\n"
133 +"\n"
134 +" mount options=(ro,remount,bind,nosuid,nodev) -> /[^spd]*{,/**},\n"
135 +" mount options=(ro,remount,bind,nosuid,nodev) -> /d[^e]*{,/**},\n"
136 +" mount options=(ro,remount,bind,nosuid,nodev) -> /de[^v]*{,/**},\n"
137 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.[^l]*{,/**},\n"
138 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.l[^x]*{,/**},\n"
139 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lx[^c]*{,/**},\n"
140 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lxc?*{,/**},\n"
141 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/[^.]*{,/**},\n"
142 +" mount options=(ro,remount,bind,nosuid,nodev) -> /dev?*{,/**},\n"
143 +" mount options=(ro,remount,bind,nosuid,nodev) -> /p[^r]*{,/**},\n"
144 +" mount options=(ro,remount,bind,nosuid,nodev) -> /pr[^o]*{,/**},\n"
145 +" mount options=(ro,remount,bind,nosuid,nodev) -> /pro[^c]*{,/**},\n"
146 +" mount options=(ro,remount,bind,nosuid,nodev) -> /proc?*{,/**},\n"
147 +" mount options=(ro,remount,bind,nosuid,nodev) -> /s[^y]*{,/**},\n"
148 +" mount options=(ro,remount,bind,nosuid,nodev) -> /sy[^s]*{,/**},\n"
149 +" mount options=(ro,remount,bind,nosuid,nodev) -> /sys?*{,/**},\n"
150 +"\n"
151 +" mount options=(ro,remount,bind,nosuid,noexec) -> /[^spd]*{,/**},\n"
152 +" mount options=(ro,remount,bind,nosuid,noexec) -> /d[^e]*{,/**},\n"
153 +" mount options=(ro,remount,bind,nosuid,noexec) -> /de[^v]*{,/**},\n"
154 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.[^l]*{,/**},\n"
155 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.l[^x]*{,/**},\n"
156 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lx[^c]*{,/**},\n"
157 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lxc?*{,/**},\n"
158 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/[^.]*{,/**},\n"
159 +" mount options=(ro,remount,bind,nosuid,noexec) -> /dev?*{,/**},\n"
160 +" mount options=(ro,remount,bind,nosuid,noexec) -> /p[^r]*{,/**},\n"
161 +" mount options=(ro,remount,bind,nosuid,noexec) -> /pr[^o]*{,/**},\n"
162 +" mount options=(ro,remount,bind,nosuid,noexec) -> /pro[^c]*{,/**},\n"
163 +" mount options=(ro,remount,bind,nosuid,noexec) -> /proc?*{,/**},\n"
164 +" mount options=(ro,remount,bind,nosuid,noexec) -> /s[^y]*{,/**},\n"
165 +" mount options=(ro,remount,bind,nosuid,noexec) -> /sy[^s]*{,/**},\n"
166 +" mount options=(ro,remount,bind,nosuid,noexec) -> /sys?*{,/**},\n"
167 +"\n"
168 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /[^spd]*{,/**},\n"
169 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /d[^e]*{,/**},\n"
170 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /de[^v]*{,/**},\n"
171 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
172 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
173 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
174 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
175 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/[^.]*{,/**},\n"
176 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev?*{,/**},\n"
177 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /p[^r]*{,/**},\n"
178 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pr[^o]*{,/**},\n"
179 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pro[^c]*{,/**},\n"
180 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /proc?*{,/**},\n"
181 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /s[^y]*{,/**},\n"
182 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sy[^s]*{,/**},\n"
183 +" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sys?*{,/**},\n"
184 +"\n"
185 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /[^spd]*{,/**},\n"
186 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /d[^e]*{,/**},\n"
187 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /de[^v]*{,/**},\n"
188 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.[^l]*{,/**},\n"
189 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.l[^x]*{,/**},\n"
190 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lx[^c]*{,/**},\n"
191 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lxc?*{,/**},\n"
192 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/[^.]*{,/**},\n"
193 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev?*{,/**},\n"
194 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /p[^r]*{,/**},\n"
195 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pr[^o]*{,/**},\n"
196 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pro[^c]*{,/**},\n"
197 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /proc?*{,/**},\n"
198 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /s[^y]*{,/**},\n"
199 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sy[^s]*{,/**},\n"
200 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sys?*{,/**},\n"
201 +"\n"
202 " # allow bind-mounts of anything except /proc, /sys and /dev\n"
203 " mount options=(rw,bind) /[^spd]*{,/**},\n"
204 " mount options=(rw,bind) /d[^e]*{,/**},\n"
205 @@ -167,15 +348,18 @@ static const char AA_PROFILE_BASE[] =
206 " mount options=(rw,bind) /sy[^s]*{,/**},\n"
207 " mount options=(rw,bind) /sys?*{,/**},\n"
208 "\n"
209 -" # allow various ro-bind-*re*-mounts\n"
210 -" mount options=(ro,remount,bind),\n"
211 -" mount options=(ro,remount,bind,nosuid),\n"
212 -" mount options=(ro,remount,bind,noexec),\n"
213 -" mount options=(ro,remount,bind,nodev),\n"
214 -" mount options=(ro,remount,bind,nosuid,noexec),\n"
215 -" mount options=(ro,remount,bind,noexec,nodev),\n"
216 -" mount options=(ro,remount,bind,nodev,nosuid),\n"
217 -" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
218 +" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n"
219 +" mount options=(rw,rbind) /[^spd]*{,/**},\n"
220 +" mount options=(rw,rbind) /d[^e]*{,/**},\n"
221 +" mount options=(rw,rbind) /de[^v]*{,/**},\n"
222 +" mount options=(rw,rbind) /dev?*{,/**},\n"
223 +" mount options=(rw,rbind) /p[^r]*{,/**},\n"
224 +" mount options=(rw,rbind) /pr[^o]*{,/**},\n"
225 +" mount options=(rw,rbind) /pro[^c]*{,/**},\n"
226 +" mount options=(rw,rbind) /proc?*{,/**},\n"
227 +" mount options=(rw,rbind) /s[^y]*{,/**},\n"
228 +" mount options=(rw,rbind) /sy[^s]*{,/**},\n"
229 +" mount options=(rw,rbind) /sys?*{,/**},\n"
230 "\n"
231 " # allow moving mounts except for /proc, /sys and /dev\n"
232 " mount options=(rw,move) /[^spd]*{,/**},\n"
233 @@ -339,18 +523,37 @@ static const char AA_PROFILE_NESTING_BASE[] =
234 " deny /dev/.lxc/proc/** rw,\n"
235 " deny /dev/.lxc/sys/** rw,\n"
236 "\n"
237 +" # Allow modifying mount propagation\n"
238 +" mount options=(rw,make-slave) -> **,\n"
239 +" mount options=(rw,make-rslave) -> **,\n"
240 +" mount options=(rw,make-shared) -> **,\n"
241 +" mount options=(rw,make-rshared) -> **,\n"
242 +" mount options=(rw,make-private) -> **,\n"
243 +" mount options=(rw,make-rprivate) -> **,\n"
244 +" mount options=(rw,make-unbindable) -> **,\n"
245 +" mount options=(rw,make-runbindable) -> **,\n"
246 +"\n"
247 " mount fstype=proc -> /usr/lib/*/lxc/**,\n"
248 " mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
249 " mount options=(rw,bind),\n"
250 " mount options=(rw,rbind),\n"
251 -" mount options=(rw,make-rshared),\n"
252 "\n"
253 - /* FIXME: What's the state here on apparmor's side? */
254 -" # there doesn't seem to be a way to ask for:\n"
255 -" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
256 -" # as we always get mount to $cdir/proc/sys with those flags denied\n"
257 -" # So allow all mounts until that is straightened out:\n"
258 -" mount,\n"
259 +" # Allow common combinations of bind/remount\n"
260 +" # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n"
261 +" mount options=(ro,remount,bind),\n"
262 +" mount options=(ro,remount,bind,nodev),\n"
263 +" mount options=(ro,remount,bind,nodev,nosuid),\n"
264 +" mount options=(ro,remount,bind,noexec),\n"
265 +" mount options=(ro,remount,bind,noexec,nodev),\n"
266 +" mount options=(ro,remount,bind,nosuid),\n"
267 +" mount options=(ro,remount,bind,nosuid,nodev),\n"
268 +" mount options=(ro,remount,bind,nosuid,noexec),\n"
269 +" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
270 +" mount options=(ro,remount,bind,nosuid,noexec,strictatime),\n"
271 +"\n"
272 +" # Allow remounting things read-only\n"
273 +" mount options=(ro,remount) /,\n"
274 +" mount options=(ro,remount) /**,\n"
275 ;
276
277 static const char AA_PROFILE_UNPRIVILEGED[] =
278 --
279 2.20.1
280
latest lxc for pve (jessie)