git.proxmox.com Git - mirror

]> git.proxmox.com Git - mirror_lxc.git/commit

author	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Thu, 15 Nov 2018 10:51:34 +0000 (11:51 +0100)
committer	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Fri, 16 Nov 2018 11:17:30 +0000 (12:17 +0100)
commit	e6ec0a9e71aa68c9fd67c691a62aaae87e356cef
tree	e79be0b86049349cc078526436df5a54b9c678c8	tree
parent	c891ab355ba1a5d7157123c60191f4f5dbbded7b	commit \| diff

apparmor: allow various remount,bind options

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

config/apparmor/abstractions/container-base		diff \| blob \| blame \| history
config/apparmor/abstractions/container-base.in		diff \| blob \| blame \| history
src/lxc/lsm/apparmor.c		diff \| blob \| blame \| history

LXC mirror

RSS Atom