[lxc.git] / debian / patches / extra / 0007-apparmor-allow-various-remount-bind-options.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 15 Nov 2018 11:51:34 +0100
Subject: [PATCH] apparmor: allow various remount,bind options

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 config/apparmor/abstractions/container-base    | 10 ++++++++++
 config/apparmor/abstractions/container-base.in | 11 ++++++++++-
 src/lxc/lsm/apparmor.c                         | 26 +++++++++-----------------
 3 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 4c3a4ba8..fbd70fdf 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -124,6 +124,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 0844fdbb..39abf348 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -123,6 +123,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},
@@ -140,4 +150,3 @@
   mount options=(rw,move) /s[^y]*{,/**},
   mount options=(rw,move) /sy[^s]*{,/**},
   mount options=(rw,move) /sys?*{,/**},
-
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index ec3f805d..bba4f6cb 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -163,23 +163,15 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,bind) /sy[^s]*{,/**},\n"
 "  mount options=(rw,bind) /sys?*{,/**},\n"
 "\n"
-"  # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
-"  mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
+"  # allow various ro-bind-*re*-mounts\n"
+"  mount options=(ro,remount,bind),\n"
+"  mount options=(ro,remount,bind,nosuid),\n"
+"  mount options=(ro,remount,bind,noexec),\n"
+"  mount options=(ro,remount,bind,nodev),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec),\n"
+"  mount options=(ro,remount,bind,noexec,nodev),\n"
+"  mount options=(ro,remount,bind,nodev,nosuid),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
 "\n"
 "  # allow moving mounts except for /proc, /sys and /dev\n"
 "  mount options=(rw,move) /[^spd]*{,/**},\n"
-- 
2.11.0
Commit	Line	Data
71a3cc63 WB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Thu, 15 Nov 2018 11:51:34 +0100
	4	Subject: [PATCH] apparmor: allow various remount,bind options
	5
	6	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	7	---
	8	config/apparmor/abstractions/container-base \| 10 ++++++++++
	9	config/apparmor/abstractions/container-base.in \| 11 ++++++++++-
	10	src/lxc/lsm/apparmor.c \| 26 +++++++++-----------------
	11	3 files changed, 29 insertions(+), 18 deletions(-)
	12
	13	diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
	14	index 4c3a4ba8..fbd70fdf 100644
	15	--- a/config/apparmor/abstractions/container-base
	16	+++ b/config/apparmor/abstractions/container-base
	17	@@ -124,6 +124,16 @@
	18	mount options=(rw,bind) /sy[^s]{,/*},
	19	mount options=(rw,bind) /sys?{,/*},
	20
	21	+ # allow various ro-bind-re-mounts
	22	+ mount options=(ro,remount,bind),
	23	+ mount options=(ro,remount,bind,nosuid),
	24	+ mount options=(ro,remount,bind,noexec),
	25	+ mount options=(ro,remount,bind,nodev),
	26	+ mount options=(ro,remount,bind,nosuid,noexec),
	27	+ mount options=(ro,remount,bind,noexec,nodev),
	28	+ mount options=(ro,remount,bind,nodev,nosuid),
	29	+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
	30	+
	31	# allow moving mounts except for /proc, /sys and /dev
	32	mount options=(rw,move) /[^spd]{,/*},
	33	mount options=(rw,move) /d[^e]{,/*},
	34	diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
	35	index 0844fdbb..39abf348 100644
	36	--- a/config/apparmor/abstractions/container-base.in
	37	+++ b/config/apparmor/abstractions/container-base.in
	38	@@ -123,6 +123,16 @@
	39	mount options=(rw,bind) /sy[^s]{,/*},
	40	mount options=(rw,bind) /sys?{,/*},
	41
	42	+ # allow various ro-bind-re-mounts
	43	+ mount options=(ro,remount,bind),
	44	+ mount options=(ro,remount,bind,nosuid),
	45	+ mount options=(ro,remount,bind,noexec),
	46	+ mount options=(ro,remount,bind,nodev),
	47	+ mount options=(ro,remount,bind,nosuid,noexec),
	48	+ mount options=(ro,remount,bind,noexec,nodev),
	49	+ mount options=(ro,remount,bind,nodev,nosuid),
	50	+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
	51	+
	52	# allow moving mounts except for /proc, /sys and /dev
	53	mount options=(rw,move) /[^spd]{,/*},
	54	mount options=(rw,move) /d[^e]{,/*},
	55	@@ -140,4 +150,3 @@
	56	mount options=(rw,move) /s[^y]{,/*},
	57	mount options=(rw,move) /sy[^s]{,/*},
	58	mount options=(rw,move) /sys?{,/*},
	59	-
	60	diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
	61	index ec3f805d..bba4f6cb 100644
	62	--- a/src/lxc/lsm/apparmor.c
	63	+++ b/src/lxc/lsm/apparmor.c
	64	@@ -163,23 +163,15 @@ static const char AA_PROFILE_BASE[] =
65	" mount options=(rw,bind) /sy[^s]{,/*},\n"
66	" mount options=(rw,bind) /sys?{,/*},\n"
67	"\n"
68	-" # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
69	-" mount options=(ro,remount,bind) -> /[^spd]{,/*},\n"
70	-" mount options=(ro,remount,bind) -> /d[^e]{,/*},\n"
71	-" mount options=(ro,remount,bind) -> /de[^v]{,/*},\n"
72	-" mount options=(ro,remount,bind) -> /dev/.[^l]{,/*},\n"
73	-" mount options=(ro,remount,bind) -> /dev/.l[^x]{,/*},\n"
74	-" mount options=(ro,remount,bind) -> /dev/.lx[^c]{,/*},\n"
75	-" mount options=(ro,remount,bind) -> /dev/.lxc?{,/*},\n"
76	-" mount options=(ro,remount,bind) -> /dev/[^.]{,/*},\n"
77	-" mount options=(ro,remount,bind) -> /dev?{,/*},\n"
78	-" mount options=(ro,remount,bind) -> /p[^r]{,/*},\n"
79	-" mount options=(ro,remount,bind) -> /pr[^o]{,/*},\n"
80	-" mount options=(ro,remount,bind) -> /pro[^c]{,/*},\n"
81	-" mount options=(ro,remount,bind) -> /proc?{,/*},\n"
82	-" mount options=(ro,remount,bind) -> /s[^y]{,/*},\n"
83	-" mount options=(ro,remount,bind) -> /sy[^s]{,/*},\n"
84	-" mount options=(ro,remount,bind) -> /sys?{,/*},\n"
85	+" # allow various ro-bind-re-mounts\n"
86	+" mount options=(ro,remount,bind),\n"
87	+" mount options=(ro,remount,bind,nosuid),\n"
88	+" mount options=(ro,remount,bind,noexec),\n"
89	+" mount options=(ro,remount,bind,nodev),\n"
90	+" mount options=(ro,remount,bind,nosuid,noexec),\n"
91	+" mount options=(ro,remount,bind,noexec,nodev),\n"
92	+" mount options=(ro,remount,bind,nodev,nosuid),\n"
93	+" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
94	"\n"
95	" # allow moving mounts except for /proc, /sys and /dev\n"
96	" mount options=(rw,move) /[^spd]{,/*},\n"
97	--
98	2.11.0
99