revert apparmor changes depending on newer apparmor

this particular patch requires apparmor userspace version 3.0.11 or
above and we're currently at 3.0.8

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch b/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
new file mode 100644 (file)
index 0000000..c6fbed2
--- /dev/null
+++ b/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 5 Apr 2024 13:05:33 +0200
+Subject: [PATCH] Revert "lsm: apparmor: allow to change mount propagation"
+
+This reverts commit 890de075941a8d6e8d0294480e82c72e6de51fc1.
+
+Debian/pve-8 is still at apparmor 3.0.8 and this would require at
+least 3.0.11.
+---
+ config/apparmor/abstractions/container-base   | 17 ++++++------
+ .../apparmor/abstractions/container-base.in   | 17 ++++++------
+ src/lxc/lsm/apparmor.c                        | 27 +++++++++++++------
+ 3 files changed, 37 insertions(+), 24 deletions(-)
+
+diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
+index 69bf6c3b5..077476559 100644
+--- a/config/apparmor/abstractions/container-base
++++ b/config/apparmor/abstractions/container-base
+@@ -92,14 +92,15 @@
+   deny /sys/kernel/debug/{,**} rwklx,
+ 
+   # allow paths to be made slave, shared, private or unbindable
+-  mount options=(rw,make-slave) -> **,
+-  mount options=(rw,make-rslave) -> **,
+-  mount options=(rw,make-shared) -> **,
+-  mount options=(rw,make-rshared) -> **,
+-  mount options=(rw,make-private) -> **,
+-  mount options=(rw,make-rprivate) -> **,
+-  mount options=(rw,make-unbindable) -> **,
+-  mount options=(rw,make-runbindable) -> **,
++  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
++#  mount options=(rw,make-slave) -> **,
++#  mount options=(rw,make-rslave) -> **,
++#  mount options=(rw,make-shared) -> **,
++#  mount options=(rw,make-rshared) -> **,
++#  mount options=(rw,make-private) -> **,
++#  mount options=(rw,make-rprivate) -> **,
++#  mount options=(rw,make-unbindable) -> **,
++#  mount options=(rw,make-runbindable) -> **,
+ 
+   # allow bind-mounts of anything except /proc, /sys and /dev
+   mount options=(rw,bind) /[^spd]*{,/**},
+diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
+index 2ca4e2f7b..2606fb64c 100644
+--- a/config/apparmor/abstractions/container-base.in
++++ b/config/apparmor/abstractions/container-base.in
+@@ -92,14 +92,15 @@
+   deny /sys/kernel/debug/{,**} rwklx,
+ 
+   # allow paths to be made slave, shared, private or unbindable
+-  mount options=(rw,make-slave) -> **,
+-  mount options=(rw,make-rslave) -> **,
+-  mount options=(rw,make-shared) -> **,
+-  mount options=(rw,make-rshared) -> **,
+-  mount options=(rw,make-private) -> **,
+-  mount options=(rw,make-rprivate) -> **,
+-  mount options=(rw,make-unbindable) -> **,
+-  mount options=(rw,make-runbindable) -> **,
++  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
++#  mount options=(rw,make-slave) -> **,
++#  mount options=(rw,make-rslave) -> **,
++#  mount options=(rw,make-shared) -> **,
++#  mount options=(rw,make-rshared) -> **,
++#  mount options=(rw,make-private) -> **,
++#  mount options=(rw,make-rprivate) -> **,
++#  mount options=(rw,make-unbindable) -> **,
++#  mount options=(rw,make-runbindable) -> **,
+ 
+   # allow bind-mounts of anything except /proc, /sys and /dev
+   mount options=(rw,bind) /[^spd]*{,/**},
+diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
+index 1d98e2941..6f0b10dfe 100644
+--- a/src/lxc/lsm/apparmor.c
++++ b/src/lxc/lsm/apparmor.c
+@@ -113,14 +113,25 @@ static const char AA_PROFILE_BASE[] =
+ "  deny /sys/kernel/debug/{,**} rwklx,\n"
+ "\n"
+ "  # allow paths to be made dependent, shared, private or unbindable\n"
+-"  mount options=(rw,make-slave) -> **,\n"
+-"  mount options=(rw,make-rslave) -> **,\n"
+-"  mount options=(rw,make-shared) -> **,\n"
+-"  mount options=(rw,make-rshared) -> **,\n"
+-"  mount options=(rw,make-private) -> **,\n"
+-"  mount options=(rw,make-rprivate) -> **,\n"
+-"  mount options=(rw,make-unbindable) -> **,\n"
+-"  mount options=(rw,make-runbindable) -> **,\n"
++"  # TODO: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.\n"
++"#  mount options=(rw,make-slave) -> **,\n"
++"#  mount options=(rw,make-rslave) -> **,\n"
++"#  mount options=(rw,make-shared) -> **,\n"
++"#  mount options=(rw,make-rshared) -> **,\n"
++"#  mount options=(rw,make-private) -> **,\n"
++"#  mount options=(rw,make-rprivate) -> **,\n"
++"#  mount options=(rw,make-unbindable) -> **,\n"
++"#  mount options=(rw,make-runbindable) -> **,\n"
++"\n"
++"# Allow limited modification of mount propagation\n"
++"  mount options=(rw,make-slave) -> /,\n"
++"  mount options=(rw,make-rslave) -> /,\n"
++"  mount options=(rw,make-shared) -> /,\n"
++"  mount options=(rw,make-rshared) -> /,\n"
++"  mount options=(rw,make-private) -> /,\n"
++"  mount options=(rw,make-rprivate) -> /,\n"
++"  mount options=(rw,make-unbindable) -> /,\n"
++"  mount options=(rw,make-runbindable) -> /,\n"
+ "\n"
+ "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
+ "  mount options=(rw,bind) /[^spd]*{,/**},\n"
+-- 
+2.39.2
+

diff --git a/debian/patches/series b/debian/patches/series
index 344756a4b9bbc589150a77bf0465b270a9cf230b..247ec8806b3958002528212118143a4b55da9c82 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
+0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
 pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
 pve/0002-PVE-Config-attach-always-use-getent.patch