From 62f2efc1972465ec0d3c06f0d7e50fdfabc7da44 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 5 Apr 2024 13:15:50 +0200 Subject: [PATCH] revert apparmor changes depending on newer apparmor this particular patch requires apparmor userspace version 3.0.11 or above and we're currently at 3.0.8 Signed-off-by: Wolfgang Bumiller --- ...mor-allow-to-change-mount-propagatio.patch | 112 ++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 113 insertions(+) create mode 100644 debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch diff --git a/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch b/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch new file mode 100644 index 0000000..c6fbed2 --- /dev/null +++ b/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch @@ -0,0 +1,112 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 5 Apr 2024 13:05:33 +0200 +Subject: [PATCH] Revert "lsm: apparmor: allow to change mount propagation" + +This reverts commit 890de075941a8d6e8d0294480e82c72e6de51fc1. + +Debian/pve-8 is still at apparmor 3.0.8 and this would require at +least 3.0.11. +--- + config/apparmor/abstractions/container-base | 17 ++++++------ + .../apparmor/abstractions/container-base.in | 17 ++++++------ + src/lxc/lsm/apparmor.c | 27 +++++++++++++------ + 3 files changed, 37 insertions(+), 24 deletions(-) + +diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base +index 69bf6c3b5..077476559 100644 +--- a/config/apparmor/abstractions/container-base ++++ b/config/apparmor/abstractions/container-base +@@ -92,14 +92,15 @@ + deny /sys/kernel/debug/{,**} rwklx, + + # allow paths to be made slave, shared, private or unbindable +- mount options=(rw,make-slave) -> **, +- mount options=(rw,make-rslave) -> **, +- mount options=(rw,make-shared) -> **, +- mount options=(rw,make-rshared) -> **, +- mount options=(rw,make-private) -> **, +- mount options=(rw,make-rprivate) -> **, +- mount options=(rw,make-unbindable) -> **, +- mount options=(rw,make-runbindable) -> **, ++ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. ++# mount options=(rw,make-slave) -> **, ++# mount options=(rw,make-rslave) -> **, ++# mount options=(rw,make-shared) -> **, ++# mount options=(rw,make-rshared) -> **, ++# mount options=(rw,make-private) -> **, ++# mount options=(rw,make-rprivate) -> **, ++# mount options=(rw,make-unbindable) -> **, ++# mount options=(rw,make-runbindable) -> **, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, +diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in +index 2ca4e2f7b..2606fb64c 100644 +--- a/config/apparmor/abstractions/container-base.in ++++ b/config/apparmor/abstractions/container-base.in +@@ -92,14 +92,15 @@ + deny /sys/kernel/debug/{,**} rwklx, + + # allow paths to be made slave, shared, private or unbindable +- mount options=(rw,make-slave) -> **, +- mount options=(rw,make-rslave) -> **, +- mount options=(rw,make-shared) -> **, +- mount options=(rw,make-rshared) -> **, +- mount options=(rw,make-private) -> **, +- mount options=(rw,make-rprivate) -> **, +- mount options=(rw,make-unbindable) -> **, +- mount options=(rw,make-runbindable) -> **, ++ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. ++# mount options=(rw,make-slave) -> **, ++# mount options=(rw,make-rslave) -> **, ++# mount options=(rw,make-shared) -> **, ++# mount options=(rw,make-rshared) -> **, ++# mount options=(rw,make-private) -> **, ++# mount options=(rw,make-rprivate) -> **, ++# mount options=(rw,make-unbindable) -> **, ++# mount options=(rw,make-runbindable) -> **, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, +diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c +index 1d98e2941..6f0b10dfe 100644 +--- a/src/lxc/lsm/apparmor.c ++++ b/src/lxc/lsm/apparmor.c +@@ -113,14 +113,25 @@ static const char AA_PROFILE_BASE[] = + " deny /sys/kernel/debug/{,**} rwklx,\n" + "\n" + " # allow paths to be made dependent, shared, private or unbindable\n" +-" mount options=(rw,make-slave) -> **,\n" +-" mount options=(rw,make-rslave) -> **,\n" +-" mount options=(rw,make-shared) -> **,\n" +-" mount options=(rw,make-rshared) -> **,\n" +-" mount options=(rw,make-private) -> **,\n" +-" mount options=(rw,make-rprivate) -> **,\n" +-" mount options=(rw,make-unbindable) -> **,\n" +-" mount options=(rw,make-runbindable) -> **,\n" ++" # TODO: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.\n" ++"# mount options=(rw,make-slave) -> **,\n" ++"# mount options=(rw,make-rslave) -> **,\n" ++"# mount options=(rw,make-shared) -> **,\n" ++"# mount options=(rw,make-rshared) -> **,\n" ++"# mount options=(rw,make-private) -> **,\n" ++"# mount options=(rw,make-rprivate) -> **,\n" ++"# mount options=(rw,make-unbindable) -> **,\n" ++"# mount options=(rw,make-runbindable) -> **,\n" ++"\n" ++"# Allow limited modification of mount propagation\n" ++" mount options=(rw,make-slave) -> /,\n" ++" mount options=(rw,make-rslave) -> /,\n" ++" mount options=(rw,make-shared) -> /,\n" ++" mount options=(rw,make-rshared) -> /,\n" ++" mount options=(rw,make-private) -> /,\n" ++" mount options=(rw,make-rprivate) -> /,\n" ++" mount options=(rw,make-unbindable) -> /,\n" ++" mount options=(rw,make-runbindable) -> /,\n" + "\n" + " # allow bind-mounts of anything except /proc, /sys and /dev\n" + " mount options=(rw,bind) /[^spd]*{,/**},\n" +-- +2.39.2 + diff --git a/debian/patches/series b/debian/patches/series index 344756a..247ec88 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ +0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch pve/0002-PVE-Config-attach-always-use-getent.patch -- 2.39.5