From 40c4fcc712dcc567356762999ff52bf0f81d0fd1 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 2 Aug 2019 13:01:30 +0200 Subject: [PATCH] update apparmor profile Signed-off-by: Wolfgang Bumiller --- ...SYSERROR-on-lxc_write_to_file-errors.patch | 4 +- ...emove-extra-MS_BIND-with-sysfs-mixed.patch | 4 +- ...019-5736-runC-rexec-callers-as-memfd.patch | 20 +- .../extra/0004-update-apparmor-profile.patch | 280 ++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 295 insertions(+), 14 deletions(-) create mode 100644 debian/patches/extra/0004-update-apparmor-profile.patch diff --git a/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch b/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch index 7daef14..2f81fb7 100644 --- a/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch +++ b/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch @@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 3d0e4a19..0d86d66e 100644 +index 3d0e4a192..0d86d66e5 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2681,8 +2681,8 @@ int setup_sysctl_parameters(struct lxc_list *sysctls) @@ -35,5 +35,5 @@ index 3d0e4a19..0d86d66e 100644 } } -- -2.11.0 +2.20.1 diff --git a/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch b/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch index b7f7f48..013a851 100644 --- a/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch +++ b/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch @@ -15,7 +15,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 1 insertion(+) diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 0d86d66e..7263d0e1 100644 +index 0d86d66e5..7263d0e1a 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -690,6 +690,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha @@ -27,5 +27,5 @@ index 0d86d66e..7263d0e1 100644 { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL }, -- -2.11.0 +2.20.1 diff --git a/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch b/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch index 228202f..24c34e2 100644 --- a/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch +++ b/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch @@ -67,15 +67,15 @@ Signed-off-by: Christian Brauner --- configure.ac | 12 +++ src/lxc/Makefile.am | 4 + - src/lxc/file_utils.c | 41 +++++++++- + src/lxc/file_utils.c | 41 ++++++++- src/lxc/file_utils.h | 1 + - src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++++++++++ - src/lxc/syscall_wrappers.h | 14 ++++ + src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++ + src/lxc/syscall_wrappers.h | 14 +++ 6 files changed, 252 insertions(+), 1 deletion(-) create mode 100644 src/lxc/rexec.c diff --git a/configure.ac b/configure.ac -index 9f3b8fb3..3177f7da 100644 +index 9f3b8fb3c..3177f7da3 100644 --- a/configure.ac +++ b/configure.ac @@ -727,6 +727,17 @@ AM_COND_IF([ENABLE_DLOG], @@ -105,7 +105,7 @@ index 9f3b8fb3..3177f7da 100644 PAM: - PAM module: $enable_pam diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am -index 95b0a2f7..865d341f 100644 +index 95b0a2f72..865d341fe 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -175,6 +175,10 @@ if !HAVE_STRLCAT @@ -120,7 +120,7 @@ index 95b0a2f7..865d341f 100644 -DLXCPATH=\"$(LXCPATH)\" \ -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \ diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c -index f89aa638..930fd738 100644 +index f89aa638d..930fd738a 100644 --- a/src/lxc/file_utils.c +++ b/src/lxc/file_utils.c @@ -31,7 +31,7 @@ @@ -176,7 +176,7 @@ index f89aa638..930fd738 100644 + return NULL; +} diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h -index 6361557a..518a61af 100644 +index 6361557a0..518a61af3 100644 --- a/src/lxc/file_utils.h +++ b/src/lxc/file_utils.h @@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); @@ -188,7 +188,7 @@ index 6361557a..518a61af 100644 #endif /* __LXC_FILE_UTILS_H */ diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c new file mode 100644 -index 00000000..396bd617 +index 000000000..396bd617f --- /dev/null +++ b/src/lxc/rexec.c @@ -0,0 +1,181 @@ @@ -374,7 +374,7 @@ index 00000000..396bd617 + } +} diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h -index 42d94db2..dca4d157 100644 +index 42d94db28..dca4d1571 100644 --- a/src/lxc/syscall_wrappers.h +++ b/src/lxc/syscall_wrappers.h @@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, @@ -399,5 +399,5 @@ index 42d94db2..dca4d157 100644 static inline int memfd_create(const char *name, unsigned int flags) { #ifndef __NR_memfd_create -- -2.11.0 +2.20.1 diff --git a/debian/patches/extra/0004-update-apparmor-profile.patch b/debian/patches/extra/0004-update-apparmor-profile.patch new file mode 100644 index 0000000..75d2102 --- /dev/null +++ b/debian/patches/extra/0004-update-apparmor-profile.patch @@ -0,0 +1,280 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 2 Aug 2019 12:57:42 +0200 +Subject: [PATCH] update apparmor profile + +based on changes to lxd + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/lsm/apparmor.c | 235 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 219 insertions(+), 16 deletions(-) + +diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c +index e32b12531..6e7c2494d 100644 +--- a/src/lxc/lsm/apparmor.c ++++ b/src/lxc/lsm/apparmor.c +@@ -149,6 +149,187 @@ static const char AA_PROFILE_BASE[] = + "# mount options=(rw,make-unbindable) -> **,\n" + "# mount options=(rw,make-runbindable) -> **,\n" + "\n" ++"# Allow limited modification of mount propagation\n" ++" mount options=(rw,make-slave) -> /,\n" ++" mount options=(rw,make-rslave) -> /,\n" ++" mount options=(rw,make-shared) -> /,\n" ++" mount options=(rw,make-rshared) -> /,\n" ++" mount options=(rw,make-private) -> /,\n" ++" mount options=(rw,make-rprivate) -> /,\n" ++" mount options=(rw,make-unbindable) -> /,\n" ++" mount options=(rw,make-runbindable) -> /,\n" ++"\n" ++" # allow various ro-bind-*re*-mounts\n" ++" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nodev) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nodev,nosuid) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,noexec) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,noexec,nodev) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nosuid) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,nodev) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sys?*{,/**},\n" ++"\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /[^spd]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /d[^e]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /de[^v]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.[^l]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.l[^x]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lx[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lxc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/[^.]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /p[^r]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pr[^o]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pro[^c]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /proc?*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /s[^y]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sy[^s]*{,/**},\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sys?*{,/**},\n" ++"\n" + " # allow bind-mounts of anything except /proc, /sys and /dev\n" + " mount options=(rw,bind) /[^spd]*{,/**},\n" + " mount options=(rw,bind) /d[^e]*{,/**},\n" +@@ -167,15 +348,18 @@ static const char AA_PROFILE_BASE[] = + " mount options=(rw,bind) /sy[^s]*{,/**},\n" + " mount options=(rw,bind) /sys?*{,/**},\n" + "\n" +-" # allow various ro-bind-*re*-mounts\n" +-" mount options=(ro,remount,bind),\n" +-" mount options=(ro,remount,bind,nosuid),\n" +-" mount options=(ro,remount,bind,noexec),\n" +-" mount options=(ro,remount,bind,nodev),\n" +-" mount options=(ro,remount,bind,nosuid,noexec),\n" +-" mount options=(ro,remount,bind,noexec,nodev),\n" +-" mount options=(ro,remount,bind,nodev,nosuid),\n" +-" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" ++" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n" ++" mount options=(rw,rbind) /[^spd]*{,/**},\n" ++" mount options=(rw,rbind) /d[^e]*{,/**},\n" ++" mount options=(rw,rbind) /de[^v]*{,/**},\n" ++" mount options=(rw,rbind) /dev?*{,/**},\n" ++" mount options=(rw,rbind) /p[^r]*{,/**},\n" ++" mount options=(rw,rbind) /pr[^o]*{,/**},\n" ++" mount options=(rw,rbind) /pro[^c]*{,/**},\n" ++" mount options=(rw,rbind) /proc?*{,/**},\n" ++" mount options=(rw,rbind) /s[^y]*{,/**},\n" ++" mount options=(rw,rbind) /sy[^s]*{,/**},\n" ++" mount options=(rw,rbind) /sys?*{,/**},\n" + "\n" + " # allow moving mounts except for /proc, /sys and /dev\n" + " mount options=(rw,move) /[^spd]*{,/**},\n" +@@ -339,18 +523,37 @@ static const char AA_PROFILE_NESTING_BASE[] = + " deny /dev/.lxc/proc/** rw,\n" + " deny /dev/.lxc/sys/** rw,\n" + "\n" ++" # Allow modifying mount propagation\n" ++" mount options=(rw,make-slave) -> **,\n" ++" mount options=(rw,make-rslave) -> **,\n" ++" mount options=(rw,make-shared) -> **,\n" ++" mount options=(rw,make-rshared) -> **,\n" ++" mount options=(rw,make-private) -> **,\n" ++" mount options=(rw,make-rprivate) -> **,\n" ++" mount options=(rw,make-unbindable) -> **,\n" ++" mount options=(rw,make-runbindable) -> **,\n" ++"\n" + " mount fstype=proc -> /usr/lib/*/lxc/**,\n" + " mount fstype=sysfs -> /usr/lib/*/lxc/**,\n" + " mount options=(rw,bind),\n" + " mount options=(rw,rbind),\n" +-" mount options=(rw,make-rshared),\n" + "\n" +- /* FIXME: What's the state here on apparmor's side? */ +-" # there doesn't seem to be a way to ask for:\n" +-" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n" +-" # as we always get mount to $cdir/proc/sys with those flags denied\n" +-" # So allow all mounts until that is straightened out:\n" +-" mount,\n" ++" # Allow common combinations of bind/remount\n" ++" # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n" ++" mount options=(ro,remount,bind),\n" ++" mount options=(ro,remount,bind,nodev),\n" ++" mount options=(ro,remount,bind,nodev,nosuid),\n" ++" mount options=(ro,remount,bind,noexec),\n" ++" mount options=(ro,remount,bind,noexec,nodev),\n" ++" mount options=(ro,remount,bind,nosuid),\n" ++" mount options=(ro,remount,bind,nosuid,nodev),\n" ++" mount options=(ro,remount,bind,nosuid,noexec),\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" ++" mount options=(ro,remount,bind,nosuid,noexec,strictatime),\n" ++"\n" ++" # Allow remounting things read-only\n" ++" mount options=(ro,remount) /,\n" ++" mount options=(ro,remount) /**,\n" + ; + + static const char AA_PROFILE_UNPRIVILEGED[] = +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 978b064..105391e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch +extra/0004-update-apparmor-profile.patch -- 2.39.5