]> git.proxmox.com Git - lxc.git/blob - debian/patches/extra/0007-apparmor-allow-various-remount-bind-options.patch
projects / lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
apparmor: allow various ro,remount,bind mounts
[lxc.git] / debian / patches / extra / 0007-apparmor-allow-various-remount-bind-options.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Thu, 15 Nov 2018 11:51:34 +0100
4 Subject: [PATCH] apparmor: allow various remount,bind options
5
6 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
7 ---
8 config/apparmor/abstractions/container-base | 10 ++++++++++
9 config/apparmor/abstractions/container-base.in | 11 ++++++++++-
10 src/lxc/lsm/apparmor.c | 26 +++++++++-----------------
11 3 files changed, 29 insertions(+), 18 deletions(-)
12
13 diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
14 index 4c3a4ba8..fbd70fdf 100644
15 --- a/config/apparmor/abstractions/container-base
16 +++ b/config/apparmor/abstractions/container-base
17 @@ -124,6 +124,16 @@
18 mount options=(rw,bind) /sy[^s]*{,/**},
19 mount options=(rw,bind) /sys?*{,/**},
20
21 + # allow various ro-bind-*re*-mounts
22 + mount options=(ro,remount,bind),
23 + mount options=(ro,remount,bind,nosuid),
24 + mount options=(ro,remount,bind,noexec),
25 + mount options=(ro,remount,bind,nodev),
26 + mount options=(ro,remount,bind,nosuid,noexec),
27 + mount options=(ro,remount,bind,noexec,nodev),
28 + mount options=(ro,remount,bind,nodev,nosuid),
29 + mount options=(ro,remount,bind,nosuid,noexec,nodev),
30 +
31 # allow moving mounts except for /proc, /sys and /dev
32 mount options=(rw,move) /[^spd]*{,/**},
33 mount options=(rw,move) /d[^e]*{,/**},
34 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
35 index 0844fdbb..39abf348 100644
36 --- a/config/apparmor/abstractions/container-base.in
37 +++ b/config/apparmor/abstractions/container-base.in
38 @@ -123,6 +123,16 @@
39 mount options=(rw,bind) /sy[^s]*{,/**},
40 mount options=(rw,bind) /sys?*{,/**},
41
42 + # allow various ro-bind-*re*-mounts
43 + mount options=(ro,remount,bind),
44 + mount options=(ro,remount,bind,nosuid),
45 + mount options=(ro,remount,bind,noexec),
46 + mount options=(ro,remount,bind,nodev),
47 + mount options=(ro,remount,bind,nosuid,noexec),
48 + mount options=(ro,remount,bind,noexec,nodev),
49 + mount options=(ro,remount,bind,nodev,nosuid),
50 + mount options=(ro,remount,bind,nosuid,noexec,nodev),
51 +
52 # allow moving mounts except for /proc, /sys and /dev
53 mount options=(rw,move) /[^spd]*{,/**},
54 mount options=(rw,move) /d[^e]*{,/**},
55 @@ -140,4 +150,3 @@
56 mount options=(rw,move) /s[^y]*{,/**},
57 mount options=(rw,move) /sy[^s]*{,/**},
58 mount options=(rw,move) /sys?*{,/**},
59 -
60 diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
61 index ec3f805d..bba4f6cb 100644
62 --- a/src/lxc/lsm/apparmor.c
63 +++ b/src/lxc/lsm/apparmor.c
64 @@ -163,23 +163,15 @@ static const char AA_PROFILE_BASE[] =
65 " mount options=(rw,bind) /sy[^s]*{,/**},\n"
66 " mount options=(rw,bind) /sys?*{,/**},\n"
67 "\n"
68 -" # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
69 -" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
70 -" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
71 -" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
72 -" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
73 -" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
74 -" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
75 -" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
76 -" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
77 -" mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
78 -" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
79 -" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
80 -" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
81 -" mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
82 -" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
83 -" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
84 -" mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
85 +" # allow various ro-bind-*re*-mounts\n"
86 +" mount options=(ro,remount,bind),\n"
87 +" mount options=(ro,remount,bind,nosuid),\n"
88 +" mount options=(ro,remount,bind,noexec),\n"
89 +" mount options=(ro,remount,bind,nodev),\n"
90 +" mount options=(ro,remount,bind,nosuid,noexec),\n"
91 +" mount options=(ro,remount,bind,noexec,nodev),\n"
92 +" mount options=(ro,remount,bind,nodev,nosuid),\n"
93 +" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
94 "\n"
95 " # allow moving mounts except for /proc, /sys and /dev\n"
96 " mount options=(rw,move) /[^spd]*{,/**},\n"
97 --
98 2.11.0
99
latest lxc for pve (jessie)