From e6ec0a9e71aa68c9fd67c691a62aaae87e356cef Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 15 Nov 2018 11:51:34 +0100 Subject: [PATCH] apparmor: allow various remount,bind options RW bind mounts need to be restricted for some paths in order to avoid MAC restriction bypasses, but read-only bind mounts shouldn't have that problem. Additionally, combinations of 'nosuid', 'nodev' and 'noexec' flags shouldn't be a problem either and are required with newer systemd versions, so let's allow those as long as they're combined with 'ro,remount,bind'. Signed-off-by: Wolfgang Bumiller --- config/apparmor/abstractions/container-base | 10 +++++++ .../apparmor/abstractions/container-base.in | 11 +++++++- src/lxc/lsm/apparmor.c | 26 +++++++------------ 3 files changed, 29 insertions(+), 18 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index a5e6c35f6..077476559 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -120,6 +120,16 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow various ro-bind-*re*-mounts + mount options=(ro,remount,bind), + mount options=(ro,remount,bind,nosuid), + mount options=(ro,remount,bind,noexec), + mount options=(ro,remount,bind,nodev), + mount options=(ro,remount,bind,nosuid,noexec), + mount options=(ro,remount,bind,noexec,nodev), + mount options=(ro,remount,bind,nodev,nosuid), + mount options=(ro,remount,bind,nosuid,noexec,nodev), + # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 11ec5c45b..1a3ead89a 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -119,6 +119,16 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow various ro-bind-*re*-mounts + mount options=(ro,remount,bind), + mount options=(ro,remount,bind,nosuid), + mount options=(ro,remount,bind,noexec), + mount options=(ro,remount,bind,nodev), + mount options=(ro,remount,bind,nosuid,noexec), + mount options=(ro,remount,bind,noexec,nodev), + mount options=(ro,remount,bind,nodev,nosuid), + mount options=(ro,remount,bind,nosuid,noexec,nodev), + # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, @@ -136,4 +146,3 @@ mount options=(rw,move) /s[^y]*{,/**}, mount options=(rw,move) /sy[^s]*{,/**}, mount options=(rw,move) /sys?*{,/**}, - diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 6371ab59b..e32b12531 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -167,23 +167,15 @@ static const char AA_PROFILE_BASE[] = " mount options=(rw,bind) /sy[^s]*{,/**},\n" " mount options=(rw,bind) /sys?*{,/**},\n" "\n" -" # allow read-only bind-mounts of anything except /proc, /sys and /dev\n" -" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n" -" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n" -" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev?*{,/**},\n" -" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n" -" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n" -" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n" -" mount options=(ro,remount,bind) -> /proc?*{,/**},\n" -" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n" -" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n" -" mount options=(ro,remount,bind) -> /sys?*{,/**},\n" +" # allow various ro-bind-*re*-mounts\n" +" mount options=(ro,remount,bind),\n" +" mount options=(ro,remount,bind,nosuid),\n" +" mount options=(ro,remount,bind,noexec),\n" +" mount options=(ro,remount,bind,nodev),\n" +" mount options=(ro,remount,bind,nosuid,noexec),\n" +" mount options=(ro,remount,bind,noexec,nodev),\n" +" mount options=(ro,remount,bind,nodev,nosuid),\n" +" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" "\n" " # allow moving mounts except for /proc, /sys and /dev\n" " mount options=(rw,move) /[^spd]*{,/**},\n" -- 2.39.2