apparmor: allow various remount,bind options

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index a5e6c35f6077b63067a27ebf31bc71a4880b93c0..0774765594ef05ae2f57a698eb2c8ae708dfe135 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -120,6 +120,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 11ec5c45b9ce343c56f006acd7298174f649f6df..1a3ead89ad6d40753166bf1da9a2a62eb01b80b9 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -119,6 +119,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},
@@ -136,4 +146,3 @@
   mount options=(rw,move) /s[^y]*{,/**},
   mount options=(rw,move) /sy[^s]*{,/**},
   mount options=(rw,move) /sys?*{,/**},
-

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6371ab59bbd7e66c4d689a2d42b81137bf8f9c91..e32b12531956ae0958fce4e26164aa71869ca0c4 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -167,23 +167,15 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,bind) /sy[^s]*{,/**},\n"
 "  mount options=(rw,bind) /sys?*{,/**},\n"
 "\n"
-"  # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
-"  mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
+"  # allow various ro-bind-*re*-mounts\n"
+"  mount options=(ro,remount,bind),\n"
+"  mount options=(ro,remount,bind,nosuid),\n"
+"  mount options=(ro,remount,bind,noexec),\n"
+"  mount options=(ro,remount,bind,nodev),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec),\n"
+"  mount options=(ro,remount,bind,noexec,nodev),\n"
+"  mount options=(ro,remount,bind,nodev,nosuid),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
 "\n"
 "  # allow moving mounts except for /proc, /sys and /dev\n"
 "  mount options=(rw,move) /[^spd]*{,/**},\n"