From 90fcde92902559d804a4c71077d70e94b61fbcd4 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 9 Aug 2019 10:49:43 +0200 Subject: [PATCH] merge new apparmor profile update Signed-off-by: Wolfgang Bumiller --- ...r-generate-ro-bind-remount-rule-list.patch | 215 ++++++++++++++ .../extra/0004-update-apparmor-profile.patch | 280 ------------------ debian/patches/series | 2 +- 3 files changed, 216 insertions(+), 281 deletions(-) create mode 100644 debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch delete mode 100644 debian/patches/extra/0004-update-apparmor-profile.patch diff --git a/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch b/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch new file mode 100644 index 0000000..8dc7b05 --- /dev/null +++ b/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch @@ -0,0 +1,215 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 2 Aug 2019 12:57:42 +0200 +Subject: [PATCH] apparmor: generate ro,bind,remount rule list + +initially based on changes to lxd + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/lsm/apparmor.c | 156 ++++++++++++++++++++++++++++++++++++----- + 1 file changed, 140 insertions(+), 16 deletions(-) + +diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c +index e32b12531..08966a246 100644 +--- a/src/lxc/lsm/apparmor.c ++++ b/src/lxc/lsm/apparmor.c +@@ -149,6 +149,16 @@ static const char AA_PROFILE_BASE[] = + "# mount options=(rw,make-unbindable) -> **,\n" + "# mount options=(rw,make-runbindable) -> **,\n" + "\n" ++"# Allow limited modification of mount propagation\n" ++" mount options=(rw,make-slave) -> /,\n" ++" mount options=(rw,make-rslave) -> /,\n" ++" mount options=(rw,make-shared) -> /,\n" ++" mount options=(rw,make-rshared) -> /,\n" ++" mount options=(rw,make-private) -> /,\n" ++" mount options=(rw,make-rprivate) -> /,\n" ++" mount options=(rw,make-unbindable) -> /,\n" ++" mount options=(rw,make-runbindable) -> /,\n" ++"\n" + " # allow bind-mounts of anything except /proc, /sys and /dev\n" + " mount options=(rw,bind) /[^spd]*{,/**},\n" + " mount options=(rw,bind) /d[^e]*{,/**},\n" +@@ -167,15 +177,18 @@ static const char AA_PROFILE_BASE[] = + " mount options=(rw,bind) /sy[^s]*{,/**},\n" + " mount options=(rw,bind) /sys?*{,/**},\n" + "\n" +-" # allow various ro-bind-*re*-mounts\n" +-" mount options=(ro,remount,bind),\n" +-" mount options=(ro,remount,bind,nosuid),\n" +-" mount options=(ro,remount,bind,noexec),\n" +-" mount options=(ro,remount,bind,nodev),\n" +-" mount options=(ro,remount,bind,nosuid,noexec),\n" +-" mount options=(ro,remount,bind,noexec,nodev),\n" +-" mount options=(ro,remount,bind,nodev,nosuid),\n" +-" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" ++" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n" ++" mount options=(rw,rbind) /[^spd]*{,/**},\n" ++" mount options=(rw,rbind) /d[^e]*{,/**},\n" ++" mount options=(rw,rbind) /de[^v]*{,/**},\n" ++" mount options=(rw,rbind) /dev?*{,/**},\n" ++" mount options=(rw,rbind) /p[^r]*{,/**},\n" ++" mount options=(rw,rbind) /pr[^o]*{,/**},\n" ++" mount options=(rw,rbind) /pro[^c]*{,/**},\n" ++" mount options=(rw,rbind) /proc?*{,/**},\n" ++" mount options=(rw,rbind) /s[^y]*{,/**},\n" ++" mount options=(rw,rbind) /sy[^s]*{,/**},\n" ++" mount options=(rw,rbind) /sys?*{,/**},\n" + "\n" + " # allow moving mounts except for /proc, /sys and /dev\n" + " mount options=(rw,move) /[^spd]*{,/**},\n" +@@ -339,18 +352,57 @@ static const char AA_PROFILE_NESTING_BASE[] = + " deny /dev/.lxc/proc/** rw,\n" + " deny /dev/.lxc/sys/** rw,\n" + "\n" ++" # Allow modifying mount propagation\n" ++" mount options=(rw,make-slave) -> **,\n" ++" mount options=(rw,make-rslave) -> **,\n" ++" mount options=(rw,make-shared) -> **,\n" ++" mount options=(rw,make-rshared) -> **,\n" ++" mount options=(rw,make-private) -> **,\n" ++" mount options=(rw,make-rprivate) -> **,\n" ++" mount options=(rw,make-unbindable) -> **,\n" ++" mount options=(rw,make-runbindable) -> **,\n" ++"\n" + " mount fstype=proc -> /usr/lib/*/lxc/**,\n" + " mount fstype=sysfs -> /usr/lib/*/lxc/**,\n" + " mount options=(rw,bind),\n" + " mount options=(rw,rbind),\n" +-" mount options=(rw,make-rshared),\n" + "\n" +- /* FIXME: What's the state here on apparmor's side? */ +-" # there doesn't seem to be a way to ask for:\n" +-" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n" +-" # as we always get mount to $cdir/proc/sys with those flags denied\n" +-" # So allow all mounts until that is straightened out:\n" +-" mount,\n" ++" # Allow common combinations of bind/remount\n" ++" # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n" ++" mount options=(ro,remount,bind),\n" ++" mount options=(ro,remount,bind,nodev),\n" ++" mount options=(ro,remount,bind,nodev,nosuid),\n" ++" mount options=(ro,remount,bind,noexec),\n" ++" mount options=(ro,remount,bind,noexec,nodev),\n" ++" mount options=(ro,remount,bind,nosuid),\n" ++" mount options=(ro,remount,bind,nosuid,nodev),\n" ++" mount options=(ro,remount,bind,nosuid,noexec),\n" ++" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" ++ ++" mount options=(ro,remount,bind,strictatime),\n" ++" mount options=(ro,remount,bind,strictatime,nodev),\n" ++" mount options=(ro,remount,bind,strictatime,nodev,nosuid),\n" ++" mount options=(ro,remount,bind,strictatime,noexec),\n" ++" mount options=(ro,remount,bind,strictatime,noexec,nodev),\n" ++" mount options=(ro,remount,bind,strictatime,nosuid),\n" ++" mount options=(ro,remount,bind,strictatime,nosuid,nodev),\n" ++" mount options=(ro,remount,bind,strictatime,nosuid,noexec),\n" ++" mount options=(ro,remount,bind,strictatime,nosuid,noexec,nodev),\n" ++ ++" mount options=(ro,remount,bind,noatime),\n" ++" mount options=(ro,remount,bind,noatime,nodev),\n" ++" mount options=(ro,remount,bind,noatime,nodev,nosuid),\n" ++" mount options=(ro,remount,bind,noatime,noexec),\n" ++" mount options=(ro,remount,bind,noatime,noexec,nodev),\n" ++" mount options=(ro,remount,bind,noatime,nosuid),\n" ++" mount options=(ro,remount,bind,noatime,nosuid,nodev),\n" ++" mount options=(ro,remount,bind,noatime,nosuid,noexec),\n" ++" mount options=(ro,remount,bind,noatime,nosuid,noexec,nodev),\n" ++ ++"\n" ++" # Allow remounting things read-only\n" ++" mount options=(ro,remount) /,\n" ++" mount options=(ro,remount) /**,\n" + ; + + static const char AA_PROFILE_UNPRIVILEGED[] = +@@ -648,6 +700,76 @@ static bool is_privileged(struct lxc_conf *conf) + return lxc_list_empty(&conf->id_map); + } + ++static const char* AA_ALL_DEST_PATH_LIST[] = { ++ " -> /[^spd]*{,/**},\n", ++ " -> /d[^e]*{,/**},\n", ++ " -> /de[^v]*{,/**},\n", ++ " -> /dev/.[^l]*{,/**},\n", ++ " -> /dev/.l[^x]*{,/**},\n", ++ " -> /dev/.lx[^c]*{,/**},\n", ++ " -> /dev/.lxc?*{,/**},\n", ++ " -> /dev/[^.]*{,/**},\n", ++ " -> /dev?*{,/**},\n", ++ " -> /p[^r]*{,/**},\n", ++ " -> /pr[^o]*{,/**},\n", ++ " -> /pro[^c]*{,/**},\n", ++ " -> /proc?*{,/**},\n", ++ " -> /s[^y]*{,/**},\n", ++ " -> /sy[^s]*{,/**},\n", ++ " -> /sys?*{,/**},\n", ++ NULL, ++}; ++ ++static void append_remount_rule(char **profile, size_t *size, const char *rule) ++{ ++ size_t rule_len = strlen(rule); ++ ++ for (const char **dest = AA_ALL_DEST_PATH_LIST; *dest; ++dest) { ++ must_append_sized(profile, size, rule, rule_len); ++ must_append_sized(profile, size, *dest, strlen(*dest)); ++ } ++} ++ ++static void append_all_remount_rules(char **profile, size_t *size) ++{ ++ must_append_sized(profile, size, ++ "# allow various ro-bind-*re*mounts\n", ++ sizeof("# allow various ro-bind-*re*mounts\n")-1); ++ ++ static struct mntopt_t { ++ const char *opt; ++ size_t len; ++ } mnt_opt_list[] = { ++ { ",nodev", sizeof(",nodev")-1 }, ++ { ",nosuid", sizeof(",nosuid")-1 }, ++ { ",noexec", sizeof(",noexec")-1 }, ++ }; ++ ++ const size_t opt_count = sizeof(mnt_opt_list) / sizeof(mnt_opt_list[0]); ++ ++ char buf[128] = "mount options=(ro,remount,bind"; ++ const size_t start = strlen(buf); ++ for (size_t i = 0; i != 1 << opt_count; ++i) { ++ size_t at = start; ++ unsigned opt_bit = 1; ++ ++ for (size_t o = 0; o != opt_count; ++o, opt_bit <<= 1) { ++ if (i & opt_bit) { ++ struct mntopt_t *opt = &mnt_opt_list[o]; ++ memcpy(&buf[at], opt->opt, opt->len); ++ at += opt->len; ++ } ++ } ++ ++ memcpy(&buf[at], ")", sizeof(")")); ++ append_remount_rule(profile, size, buf); ++ memcpy(&buf[at], ",noatime)", sizeof(",noatime)")); ++ append_remount_rule(profile, size, buf); ++ memcpy(&buf[at], ",strictatime)", sizeof(",strictatime)")); ++ append_remount_rule(profile, size, buf); ++ } ++} ++ + static char *get_apparmor_profile_content(struct lxc_conf *conf, const char *lxcpath) + { + char *profile, *profile_name_full; +@@ -665,6 +787,8 @@ static char *get_apparmor_profile_content(struct lxc_conf *conf, const char *lxc + must_append_sized(&profile, &size, AA_PROFILE_BASE, + STRARRAYLEN(AA_PROFILE_BASE)); + ++ append_all_remount_rules(&profile, &size); ++ + if (aa_supports_unix) + must_append_sized(&profile, &size, AA_PROFILE_UNIX_SOCKETS, + STRARRAYLEN(AA_PROFILE_UNIX_SOCKETS)); +-- +2.20.1 + diff --git a/debian/patches/extra/0004-update-apparmor-profile.patch b/debian/patches/extra/0004-update-apparmor-profile.patch deleted file mode 100644 index 75d2102..0000000 --- a/debian/patches/extra/0004-update-apparmor-profile.patch +++ /dev/null @@ -1,280 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 2 Aug 2019 12:57:42 +0200 -Subject: [PATCH] update apparmor profile - -based on changes to lxd - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/lsm/apparmor.c | 235 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 219 insertions(+), 16 deletions(-) - -diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c -index e32b12531..6e7c2494d 100644 ---- a/src/lxc/lsm/apparmor.c -+++ b/src/lxc/lsm/apparmor.c -@@ -149,6 +149,187 @@ static const char AA_PROFILE_BASE[] = - "# mount options=(rw,make-unbindable) -> **,\n" - "# mount options=(rw,make-runbindable) -> **,\n" - "\n" -+"# Allow limited modification of mount propagation\n" -+" mount options=(rw,make-slave) -> /,\n" -+" mount options=(rw,make-rslave) -> /,\n" -+" mount options=(rw,make-shared) -> /,\n" -+" mount options=(rw,make-rshared) -> /,\n" -+" mount options=(rw,make-private) -> /,\n" -+" mount options=(rw,make-rprivate) -> /,\n" -+" mount options=(rw,make-unbindable) -> /,\n" -+" mount options=(rw,make-runbindable) -> /,\n" -+"\n" -+" # allow various ro-bind-*re*-mounts\n" -+" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nodev) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nodev,nosuid) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,noexec) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,noexec,nodev) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nosuid) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,nodev) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sys?*{,/**},\n" -+"\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /[^spd]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /d[^e]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /de[^v]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.[^l]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.l[^x]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lx[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lxc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/[^.]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /p[^r]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pr[^o]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pro[^c]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /proc?*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /s[^y]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sy[^s]*{,/**},\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sys?*{,/**},\n" -+"\n" - " # allow bind-mounts of anything except /proc, /sys and /dev\n" - " mount options=(rw,bind) /[^spd]*{,/**},\n" - " mount options=(rw,bind) /d[^e]*{,/**},\n" -@@ -167,15 +348,18 @@ static const char AA_PROFILE_BASE[] = - " mount options=(rw,bind) /sy[^s]*{,/**},\n" - " mount options=(rw,bind) /sys?*{,/**},\n" - "\n" --" # allow various ro-bind-*re*-mounts\n" --" mount options=(ro,remount,bind),\n" --" mount options=(ro,remount,bind,nosuid),\n" --" mount options=(ro,remount,bind,noexec),\n" --" mount options=(ro,remount,bind,nodev),\n" --" mount options=(ro,remount,bind,nosuid,noexec),\n" --" mount options=(ro,remount,bind,noexec,nodev),\n" --" mount options=(ro,remount,bind,nodev,nosuid),\n" --" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" -+" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n" -+" mount options=(rw,rbind) /[^spd]*{,/**},\n" -+" mount options=(rw,rbind) /d[^e]*{,/**},\n" -+" mount options=(rw,rbind) /de[^v]*{,/**},\n" -+" mount options=(rw,rbind) /dev?*{,/**},\n" -+" mount options=(rw,rbind) /p[^r]*{,/**},\n" -+" mount options=(rw,rbind) /pr[^o]*{,/**},\n" -+" mount options=(rw,rbind) /pro[^c]*{,/**},\n" -+" mount options=(rw,rbind) /proc?*{,/**},\n" -+" mount options=(rw,rbind) /s[^y]*{,/**},\n" -+" mount options=(rw,rbind) /sy[^s]*{,/**},\n" -+" mount options=(rw,rbind) /sys?*{,/**},\n" - "\n" - " # allow moving mounts except for /proc, /sys and /dev\n" - " mount options=(rw,move) /[^spd]*{,/**},\n" -@@ -339,18 +523,37 @@ static const char AA_PROFILE_NESTING_BASE[] = - " deny /dev/.lxc/proc/** rw,\n" - " deny /dev/.lxc/sys/** rw,\n" - "\n" -+" # Allow modifying mount propagation\n" -+" mount options=(rw,make-slave) -> **,\n" -+" mount options=(rw,make-rslave) -> **,\n" -+" mount options=(rw,make-shared) -> **,\n" -+" mount options=(rw,make-rshared) -> **,\n" -+" mount options=(rw,make-private) -> **,\n" -+" mount options=(rw,make-rprivate) -> **,\n" -+" mount options=(rw,make-unbindable) -> **,\n" -+" mount options=(rw,make-runbindable) -> **,\n" -+"\n" - " mount fstype=proc -> /usr/lib/*/lxc/**,\n" - " mount fstype=sysfs -> /usr/lib/*/lxc/**,\n" - " mount options=(rw,bind),\n" - " mount options=(rw,rbind),\n" --" mount options=(rw,make-rshared),\n" - "\n" -- /* FIXME: What's the state here on apparmor's side? */ --" # there doesn't seem to be a way to ask for:\n" --" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n" --" # as we always get mount to $cdir/proc/sys with those flags denied\n" --" # So allow all mounts until that is straightened out:\n" --" mount,\n" -+" # Allow common combinations of bind/remount\n" -+" # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n" -+" mount options=(ro,remount,bind),\n" -+" mount options=(ro,remount,bind,nodev),\n" -+" mount options=(ro,remount,bind,nodev,nosuid),\n" -+" mount options=(ro,remount,bind,noexec),\n" -+" mount options=(ro,remount,bind,noexec,nodev),\n" -+" mount options=(ro,remount,bind,nosuid),\n" -+" mount options=(ro,remount,bind,nosuid,nodev),\n" -+" mount options=(ro,remount,bind,nosuid,noexec),\n" -+" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" -+" mount options=(ro,remount,bind,nosuid,noexec,strictatime),\n" -+"\n" -+" # Allow remounting things read-only\n" -+" mount options=(ro,remount) /,\n" -+" mount options=(ro,remount) /**,\n" - ; - - static const char AA_PROFILE_UNPRIVILEGED[] = --- -2.20.1 - diff --git a/debian/patches/series b/debian/patches/series index 105391e..d25371a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,4 +10,4 @@ pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch -extra/0004-update-apparmor-profile.patch +extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch -- 2.39.2