[lxc.git] / debian / patches / 0003-deny-rw-mounting-of-sys-and-proc.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH] deny rw mounting of /sys and /proc

this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
non-root users.

if a rw /sys is desired, set "lxc.mount.auto" accordingly
---
 config/apparmor/abstractions/container-base    | 6 +++++-
 config/apparmor/abstractions/container-base.in | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index a5e6c35f..4c3a4ba8 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -82,7 +82,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
-  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # prevent rw mounting of /sys, because that allows changing its global permissions
+  deny mount -> /proc/,
+  deny mount -> /sys/,
+#  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
   # allow paths to be made slave, shared, private or unbindable
   # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
 #  mount options=(rw,make-slave) -> **,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 16529bbf..54f9ddf0 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -82,7 +82,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
-  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # prevent rw mounting of /sys, because that allows changing its global permissions
+  deny mount -> /proc/,
+  deny mount -> /sys/,
+#  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
   # allow paths to be made slave, shared, private or unbindable
   # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
 #  mount options=(rw,make-slave) -> **,
-- 
2.11.0
Commit	Line	Data
1513a0b5	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0d5c2e05 FG	2	From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
0d5c2e05 FG	3	Date: Wed, 9 Nov 2016 09:14:26 +0100
1513a0b5	4	Subject: [PATCH] deny rw mounting of /sys and /proc
0d5c2e05 FG	5
	6	this would allow root in a privileged container to change
	7	the permissions of /sys on the host, which could lock out
	8	non-root users.
	9
	10	if a rw /sys is desired, set "lxc.mount.auto" accordingly
	11	---
	12	config/apparmor/abstractions/container-base \| 6 +++++-
	13	config/apparmor/abstractions/container-base.in \| 6 +++++-
	14	2 files changed, 10 insertions(+), 2 deletions(-)
	15
	16	diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
bc7e56ac	17	index a5e6c35f..4c3a4ba8 100644
0d5c2e05 FG	18	--- a/config/apparmor/abstractions/container-base
0d5c2e05 FG	19	+++ b/config/apparmor/abstractions/container-base
bc7e56ac	20	@@ -82,7 +82,6 @@
0d5c2e05 FG	21	deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
	22	mount fstype=proc -> /proc/,
	23	mount fstype=sysfs -> /sys/,
	24	- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
	25	deny /sys/firmware/efi/efivars/** rwklx,
	26	deny /sys/kernel/security/** rwklx,
	27	mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
bc7e56ac	28	@@ -91,6 +90,11 @@
0d5c2e05 FG	29	# deny reads from debugfs
	30	deny /sys/kernel/debug/{,**} rwklx,
	31
	32	+ # prevent rw mounting of /sys, because that allows changing its global permissions
	33	+ deny mount -> /proc/,
	34	+ deny mount -> /sys/,
	35	+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
	36	+
	37	# allow paths to be made slave, shared, private or unbindable
	38	# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
	39	# mount options=(rw,make-slave) -> **,
	40	diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
bc7e56ac	41	index 16529bbf..54f9ddf0 100644
0d5c2e05 FG	42	--- a/config/apparmor/abstractions/container-base.in
0d5c2e05 FG	43	+++ b/config/apparmor/abstractions/container-base.in
bc7e56ac	44	@@ -82,7 +82,6 @@
0d5c2e05 FG	45	deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
	46	mount fstype=proc -> /proc/,
	47	mount fstype=sysfs -> /sys/,
	48	- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
	49	deny /sys/firmware/efi/efivars/** rwklx,
	50	deny /sys/kernel/security/** rwklx,
	51	mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
bc7e56ac	52	@@ -91,6 +90,11 @@
0d5c2e05 FG	53	# deny reads from debugfs
	54	deny /sys/kernel/debug/{,**} rwklx,
	55
	56	+ # prevent rw mounting of /sys, because that allows changing its global permissions
	57	+ deny mount -> /proc/,
	58	+ deny mount -> /sys/,
	59	+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
	60	+
	61	# allow paths to be made slave, shared, private or unbindable
	62	# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
	63	# mount options=(rw,make-slave) -> **,
	64	--
7395ab25	65	2.11.0
0d5c2e05	66