]>
Commit | Line | Data |
---|---|---|
80fb84e7 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
0d5c2e05 FG |
2 | From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> |
3 | Date: Wed, 9 Nov 2016 09:14:26 +0100 | |
ab6c7914 | 4 | Subject: [PATCH 1/2] PVE: [Config] deny rw mounting of /sys and /proc |
3e9264ba WB |
5 | |
6 | Note that we don't actually make use of this anymore, since | |
7 | we switched to the generated profiles which already do this. | |
0d5c2e05 FG |
8 | |
9 | this would allow root in a privileged container to change | |
10 | the permissions of /sys on the host, which could lock out | |
11 | non-root users. | |
12 | ||
13 | if a rw /sys is desired, set "lxc.mount.auto" accordingly | |
14 | --- | |
15 | config/apparmor/abstractions/container-base | 6 +++++- | |
16 | config/apparmor/abstractions/container-base.in | 6 +++++- | |
17 | 2 files changed, 10 insertions(+), 2 deletions(-) | |
18 | ||
19 | diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base | |
8a25e884 | 20 | index 077476559..fbd70fdf5 100644 |
0d5c2e05 FG |
21 | --- a/config/apparmor/abstractions/container-base |
22 | +++ b/config/apparmor/abstractions/container-base | |
bc7e56ac | 23 | @@ -82,7 +82,6 @@ |
0d5c2e05 FG |
24 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, |
25 | mount fstype=proc -> /proc/, | |
26 | mount fstype=sysfs -> /sys/, | |
27 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
28 | deny /sys/firmware/efi/efivars/** rwklx, | |
29 | deny /sys/kernel/security/** rwklx, | |
30 | mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, | |
bc7e56ac | 31 | @@ -91,6 +90,11 @@ |
0d5c2e05 FG |
32 | # deny reads from debugfs |
33 | deny /sys/kernel/debug/{,**} rwklx, | |
34 | ||
35 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
36 | + deny mount -> /proc/, | |
37 | + deny mount -> /sys/, | |
38 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
39 | + | |
40 | # allow paths to be made slave, shared, private or unbindable | |
41 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
42 | # mount options=(rw,make-slave) -> **, | |
43 | diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in | |
0a134a36 | 44 | index 2606fb64c..3e61c62ea 100644 |
0d5c2e05 FG |
45 | --- a/config/apparmor/abstractions/container-base.in |
46 | +++ b/config/apparmor/abstractions/container-base.in | |
0a134a36 | 47 | @@ -83,7 +83,6 @@ |
0d5c2e05 FG |
48 | deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, |
49 | mount fstype=proc -> /proc/, | |
50 | mount fstype=sysfs -> /sys/, | |
51 | - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
52 | deny /sys/firmware/efi/efivars/** rwklx, | |
53 | deny /sys/kernel/security/** rwklx, | |
f46e8fbf | 54 | mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, |
0a134a36 | 55 | @@ -91,6 +90,11 @@ |
0d5c2e05 FG |
56 | # deny reads from debugfs |
57 | deny /sys/kernel/debug/{,**} rwklx, | |
58 | ||
59 | + # prevent rw mounting of /sys, because that allows changing its global permissions | |
60 | + deny mount -> /proc/, | |
61 | + deny mount -> /sys/, | |
62 | +# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, | |
63 | + | |
64 | # allow paths to be made slave, shared, private or unbindable | |
65 | # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. | |
66 | # mount options=(rw,make-slave) -> **, | |
12c525f3 | 67 | -- |
ab6c7914 | 68 | 2.39.2 |
12c525f3 | 69 |