merge new apparmor profile update

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch b/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch
new file mode 100644 (file)
index 0000000..8dc7b05
--- /dev/null
+++ b/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch
@@ -0,0 +1,215 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 2 Aug 2019 12:57:42 +0200
+Subject: [PATCH] apparmor: generate ro,bind,remount rule list
+
+initially based on changes to lxd
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/lsm/apparmor.c | 156 ++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 140 insertions(+), 16 deletions(-)
+
+diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
+index e32b12531..08966a246 100644
+--- a/src/lxc/lsm/apparmor.c
++++ b/src/lxc/lsm/apparmor.c
+@@ -149,6 +149,16 @@ static const char AA_PROFILE_BASE[] =
+ "#  mount options=(rw,make-unbindable) -> **,\n"
+ "#  mount options=(rw,make-runbindable) -> **,\n"
+ "\n"
++"# Allow limited modification of mount propagation\n"
++"  mount options=(rw,make-slave) -> /,\n"
++"  mount options=(rw,make-rslave) -> /,\n"
++"  mount options=(rw,make-shared) -> /,\n"
++"  mount options=(rw,make-rshared) -> /,\n"
++"  mount options=(rw,make-private) -> /,\n"
++"  mount options=(rw,make-rprivate) -> /,\n"
++"  mount options=(rw,make-unbindable) -> /,\n"
++"  mount options=(rw,make-runbindable) -> /,\n"
++"\n"
+ "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
+ "  mount options=(rw,bind) /[^spd]*{,/**},\n"
+ "  mount options=(rw,bind) /d[^e]*{,/**},\n"
+@@ -167,15 +177,18 @@ static const char AA_PROFILE_BASE[] =
+ "  mount options=(rw,bind) /sy[^s]*{,/**},\n"
+ "  mount options=(rw,bind) /sys?*{,/**},\n"
+ "\n"
+-"  # allow various ro-bind-*re*-mounts\n"
+-"  mount options=(ro,remount,bind),\n"
+-"  mount options=(ro,remount,bind,nosuid),\n"
+-"  mount options=(ro,remount,bind,noexec),\n"
+-"  mount options=(ro,remount,bind,nodev),\n"
+-"  mount options=(ro,remount,bind,nosuid,noexec),\n"
+-"  mount options=(ro,remount,bind,noexec,nodev),\n"
+-"  mount options=(ro,remount,bind,nodev,nosuid),\n"
+-"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
++"  # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n"
++"  mount options=(rw,rbind) /[^spd]*{,/**},\n"
++"  mount options=(rw,rbind) /d[^e]*{,/**},\n"
++"  mount options=(rw,rbind) /de[^v]*{,/**},\n"
++"  mount options=(rw,rbind) /dev?*{,/**},\n"
++"  mount options=(rw,rbind) /p[^r]*{,/**},\n"
++"  mount options=(rw,rbind) /pr[^o]*{,/**},\n"
++"  mount options=(rw,rbind) /pro[^c]*{,/**},\n"
++"  mount options=(rw,rbind) /proc?*{,/**},\n"
++"  mount options=(rw,rbind) /s[^y]*{,/**},\n"
++"  mount options=(rw,rbind) /sy[^s]*{,/**},\n"
++"  mount options=(rw,rbind) /sys?*{,/**},\n"
+ "\n"
+ "  # allow moving mounts except for /proc, /sys and /dev\n"
+ "  mount options=(rw,move) /[^spd]*{,/**},\n"
+@@ -339,18 +352,57 @@ static const char AA_PROFILE_NESTING_BASE[] =
+ "  deny /dev/.lxc/proc/** rw,\n"
+ "  deny /dev/.lxc/sys/** rw,\n"
+ "\n"
++"  # Allow modifying mount propagation\n"
++"  mount options=(rw,make-slave) -> **,\n"
++"  mount options=(rw,make-rslave) -> **,\n"
++"  mount options=(rw,make-shared) -> **,\n"
++"  mount options=(rw,make-rshared) -> **,\n"
++"  mount options=(rw,make-private) -> **,\n"
++"  mount options=(rw,make-rprivate) -> **,\n"
++"  mount options=(rw,make-unbindable) -> **,\n"
++"  mount options=(rw,make-runbindable) -> **,\n"
++"\n"
+ "  mount fstype=proc -> /usr/lib/*/lxc/**,\n"
+ "  mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
+ "  mount options=(rw,bind),\n"
+ "  mount options=(rw,rbind),\n"
+-"  mount options=(rw,make-rshared),\n"
+ "\n"
+-   /* FIXME: What's the state here on apparmor's side? */
+-"  # there doesn't seem to be a way to ask for:\n"
+-"  # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
+-"  # as we always get mount to $cdir/proc/sys with those flags denied\n"
+-"  # So allow all mounts until that is straightened out:\n"
+-"  mount,\n"
++"  # Allow common combinations of bind/remount\n"
++"  # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n"
++"  mount options=(ro,remount,bind),\n"
++"  mount options=(ro,remount,bind,nodev),\n"
++"  mount options=(ro,remount,bind,nodev,nosuid),\n"
++"  mount options=(ro,remount,bind,noexec),\n"
++"  mount options=(ro,remount,bind,noexec,nodev),\n"
++"  mount options=(ro,remount,bind,nosuid),\n"
++"  mount options=(ro,remount,bind,nosuid,nodev),\n"
++"  mount options=(ro,remount,bind,nosuid,noexec),\n"
++"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
++
++"  mount options=(ro,remount,bind,strictatime),\n"
++"  mount options=(ro,remount,bind,strictatime,nodev),\n"
++"  mount options=(ro,remount,bind,strictatime,nodev,nosuid),\n"
++"  mount options=(ro,remount,bind,strictatime,noexec),\n"
++"  mount options=(ro,remount,bind,strictatime,noexec,nodev),\n"
++"  mount options=(ro,remount,bind,strictatime,nosuid),\n"
++"  mount options=(ro,remount,bind,strictatime,nosuid,nodev),\n"
++"  mount options=(ro,remount,bind,strictatime,nosuid,noexec),\n"
++"  mount options=(ro,remount,bind,strictatime,nosuid,noexec,nodev),\n"
++
++"  mount options=(ro,remount,bind,noatime),\n"
++"  mount options=(ro,remount,bind,noatime,nodev),\n"
++"  mount options=(ro,remount,bind,noatime,nodev,nosuid),\n"
++"  mount options=(ro,remount,bind,noatime,noexec),\n"
++"  mount options=(ro,remount,bind,noatime,noexec,nodev),\n"
++"  mount options=(ro,remount,bind,noatime,nosuid),\n"
++"  mount options=(ro,remount,bind,noatime,nosuid,nodev),\n"
++"  mount options=(ro,remount,bind,noatime,nosuid,noexec),\n"
++"  mount options=(ro,remount,bind,noatime,nosuid,noexec,nodev),\n"
++
++"\n"
++"  # Allow remounting things read-only\n"
++"  mount options=(ro,remount) /,\n"
++"  mount options=(ro,remount) /**,\n"
+ ;
+ 
+ static const char AA_PROFILE_UNPRIVILEGED[] =
+@@ -648,6 +700,76 @@ static bool is_privileged(struct lxc_conf *conf)
+       return lxc_list_empty(&conf->id_map);
+ }
+ 
++static const char* AA_ALL_DEST_PATH_LIST[] = {
++      " -> /[^spd]*{,/**},\n",
++      " -> /d[^e]*{,/**},\n",
++      " -> /de[^v]*{,/**},\n",
++      " -> /dev/.[^l]*{,/**},\n",
++      " -> /dev/.l[^x]*{,/**},\n",
++      " -> /dev/.lx[^c]*{,/**},\n",
++      " -> /dev/.lxc?*{,/**},\n",
++      " -> /dev/[^.]*{,/**},\n",
++      " -> /dev?*{,/**},\n",
++      " -> /p[^r]*{,/**},\n",
++      " -> /pr[^o]*{,/**},\n",
++      " -> /pro[^c]*{,/**},\n",
++      " -> /proc?*{,/**},\n",
++      " -> /s[^y]*{,/**},\n",
++      " -> /sy[^s]*{,/**},\n",
++      " -> /sys?*{,/**},\n",
++      NULL,
++};
++
++static void append_remount_rule(char **profile, size_t *size, const char *rule)
++{
++      size_t rule_len = strlen(rule);
++
++      for (const char **dest = AA_ALL_DEST_PATH_LIST; *dest; ++dest) {
++              must_append_sized(profile, size, rule, rule_len);
++              must_append_sized(profile, size, *dest, strlen(*dest));
++      }
++}
++
++static void append_all_remount_rules(char **profile, size_t *size)
++{
++      must_append_sized(profile, size,
++                        "# allow various ro-bind-*re*mounts\n",
++                        sizeof("# allow various ro-bind-*re*mounts\n")-1);
++
++      static struct mntopt_t {
++              const char *opt;
++              size_t len;
++      } mnt_opt_list[] = {
++              { ",nodev", sizeof(",nodev")-1 },
++              { ",nosuid", sizeof(",nosuid")-1 },
++              { ",noexec", sizeof(",noexec")-1 },
++      };
++
++      const size_t opt_count = sizeof(mnt_opt_list) / sizeof(mnt_opt_list[0]);
++
++      char buf[128] = "mount options=(ro,remount,bind";
++      const size_t start = strlen(buf);
++      for (size_t i = 0; i != 1 << opt_count; ++i) {
++              size_t at = start;
++              unsigned opt_bit = 1;
++
++              for (size_t o = 0; o != opt_count; ++o, opt_bit <<= 1) {
++                      if (i & opt_bit) {
++                              struct mntopt_t *opt = &mnt_opt_list[o];
++                              memcpy(&buf[at], opt->opt, opt->len);
++                              at += opt->len;
++                      }
++              }
++
++              memcpy(&buf[at], ")", sizeof(")"));
++              append_remount_rule(profile, size, buf);
++              memcpy(&buf[at], ",noatime)", sizeof(",noatime)"));
++              append_remount_rule(profile, size, buf);
++              memcpy(&buf[at], ",strictatime)", sizeof(",strictatime)"));
++              append_remount_rule(profile, size, buf);
++      }
++}
++
+ static char *get_apparmor_profile_content(struct lxc_conf *conf, const char *lxcpath)
+ {
+       char *profile, *profile_name_full;
+@@ -665,6 +787,8 @@ static char *get_apparmor_profile_content(struct lxc_conf *conf, const char *lxc
+       must_append_sized(&profile, &size, AA_PROFILE_BASE,
+                         STRARRAYLEN(AA_PROFILE_BASE));
+ 
++      append_all_remount_rules(&profile, &size);
++
+       if (aa_supports_unix)
+               must_append_sized(&profile, &size, AA_PROFILE_UNIX_SOCKETS,
+                                 STRARRAYLEN(AA_PROFILE_UNIX_SOCKETS));
+-- 
+2.20.1
+

diff --git a/debian/patches/extra/0004-update-apparmor-profile.patch b/debian/patches/extra/0004-update-apparmor-profile.patch
deleted file mode 100644 (file)
index 75d2102..0000000
--- a/debian/patches/extra/0004-update-apparmor-profile.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 2 Aug 2019 12:57:42 +0200
-Subject: [PATCH] update apparmor profile
-
-based on changes to lxd
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/lsm/apparmor.c | 235 ++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 219 insertions(+), 16 deletions(-)
-
-diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
-index e32b12531..6e7c2494d 100644
---- a/src/lxc/lsm/apparmor.c
-+++ b/src/lxc/lsm/apparmor.c
-@@ -149,6 +149,187 @@ static const char AA_PROFILE_BASE[] =
- "#  mount options=(rw,make-unbindable) -> **,\n"
- "#  mount options=(rw,make-runbindable) -> **,\n"
- "\n"
-+"# Allow limited modification of mount propagation\n"
-+"  mount options=(rw,make-slave) -> /,\n"
-+"  mount options=(rw,make-rslave) -> /,\n"
-+"  mount options=(rw,make-shared) -> /,\n"
-+"  mount options=(rw,make-rshared) -> /,\n"
-+"  mount options=(rw,make-private) -> /,\n"
-+"  mount options=(rw,make-rprivate) -> /,\n"
-+"  mount options=(rw,make-unbindable) -> /,\n"
-+"  mount options=(rw,make-runbindable) -> /,\n"
-+"\n"
-+"  # allow various ro-bind-*re*-mounts\n"
-+"  mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nodev) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,noexec) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,noexec,nodev) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sys?*{,/**},\n"
-+"\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /[^spd]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /d[^e]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /de[^v]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.[^l]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.l[^x]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lx[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lxc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/[^.]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /p[^r]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pr[^o]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pro[^c]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /proc?*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /s[^y]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sy[^s]*{,/**},\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sys?*{,/**},\n"
-+"\n"
- "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
- "  mount options=(rw,bind) /[^spd]*{,/**},\n"
- "  mount options=(rw,bind) /d[^e]*{,/**},\n"
-@@ -167,15 +348,18 @@ static const char AA_PROFILE_BASE[] =
- "  mount options=(rw,bind) /sy[^s]*{,/**},\n"
- "  mount options=(rw,bind) /sys?*{,/**},\n"
- "\n"
--"  # allow various ro-bind-*re*-mounts\n"
--"  mount options=(ro,remount,bind),\n"
--"  mount options=(ro,remount,bind,nosuid),\n"
--"  mount options=(ro,remount,bind,noexec),\n"
--"  mount options=(ro,remount,bind,nodev),\n"
--"  mount options=(ro,remount,bind,nosuid,noexec),\n"
--"  mount options=(ro,remount,bind,noexec,nodev),\n"
--"  mount options=(ro,remount,bind,nodev,nosuid),\n"
--"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
-+"  # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n"
-+"  mount options=(rw,rbind) /[^spd]*{,/**},\n"
-+"  mount options=(rw,rbind) /d[^e]*{,/**},\n"
-+"  mount options=(rw,rbind) /de[^v]*{,/**},\n"
-+"  mount options=(rw,rbind) /dev?*{,/**},\n"
-+"  mount options=(rw,rbind) /p[^r]*{,/**},\n"
-+"  mount options=(rw,rbind) /pr[^o]*{,/**},\n"
-+"  mount options=(rw,rbind) /pro[^c]*{,/**},\n"
-+"  mount options=(rw,rbind) /proc?*{,/**},\n"
-+"  mount options=(rw,rbind) /s[^y]*{,/**},\n"
-+"  mount options=(rw,rbind) /sy[^s]*{,/**},\n"
-+"  mount options=(rw,rbind) /sys?*{,/**},\n"
- "\n"
- "  # allow moving mounts except for /proc, /sys and /dev\n"
- "  mount options=(rw,move) /[^spd]*{,/**},\n"
-@@ -339,18 +523,37 @@ static const char AA_PROFILE_NESTING_BASE[] =
- "  deny /dev/.lxc/proc/** rw,\n"
- "  deny /dev/.lxc/sys/** rw,\n"
- "\n"
-+"  # Allow modifying mount propagation\n"
-+"  mount options=(rw,make-slave) -> **,\n"
-+"  mount options=(rw,make-rslave) -> **,\n"
-+"  mount options=(rw,make-shared) -> **,\n"
-+"  mount options=(rw,make-rshared) -> **,\n"
-+"  mount options=(rw,make-private) -> **,\n"
-+"  mount options=(rw,make-rprivate) -> **,\n"
-+"  mount options=(rw,make-unbindable) -> **,\n"
-+"  mount options=(rw,make-runbindable) -> **,\n"
-+"\n"
- "  mount fstype=proc -> /usr/lib/*/lxc/**,\n"
- "  mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
- "  mount options=(rw,bind),\n"
- "  mount options=(rw,rbind),\n"
--"  mount options=(rw,make-rshared),\n"
- "\n"
--   /* FIXME: What's the state here on apparmor's side? */
--"  # there doesn't seem to be a way to ask for:\n"
--"  # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
--"  # as we always get mount to $cdir/proc/sys with those flags denied\n"
--"  # So allow all mounts until that is straightened out:\n"
--"  mount,\n"
-+"  # Allow common combinations of bind/remount\n"
-+"  # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n"
-+"  mount options=(ro,remount,bind),\n"
-+"  mount options=(ro,remount,bind,nodev),\n"
-+"  mount options=(ro,remount,bind,nodev,nosuid),\n"
-+"  mount options=(ro,remount,bind,noexec),\n"
-+"  mount options=(ro,remount,bind,noexec,nodev),\n"
-+"  mount options=(ro,remount,bind,nosuid),\n"
-+"  mount options=(ro,remount,bind,nosuid,nodev),\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec),\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
-+"  mount options=(ro,remount,bind,nosuid,noexec,strictatime),\n"
-+"\n"
-+"  # Allow remounting things read-only\n"
-+"  mount options=(ro,remount) /,\n"
-+"  mount options=(ro,remount) /**,\n"
- ;
- 
- static const char AA_PROFILE_UNPRIVILEGED[] =
--- 
-2.20.1
-

diff --git a/debian/patches/series b/debian/patches/series
index 105391eef0e3cacfd9499403c1c18453a1fcc0a5..d25371a7fdbe399a8a01a68288157594efebb4bc 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,4 +10,4 @@ pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch
 extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch
 extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch
 extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
-extra/0004-update-apparmor-profile.patch
+extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch