git.proxmox.com Git - pve-container.git/commit

author	Filip Schauer <f.schauer@proxmox.com>
	Tue, 9 Apr 2024 09:26:22 +0000 (11:26 +0200)
committer	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Tue, 9 Apr 2024 09:35:35 +0000 (11:35 +0200)
commit	05c355a922896471c29538dd02a5cb65658e00e5
tree	e50ff9bde3d33d0c58bfba933a21195182c1b783	tree
parent	7a735681f2105624b460601d8e316fb10d7614f8	commit \| diff

fix #5160: fix move_mount regression for mount point hotplug

Set up an Apparmor profile to allow moving mounts for mount point
hotplug.

This fixes a regression caused by
kernel commit 157a3537d6 ("apparmor: Fix regression in mount mediation")

The commit introduced move_mount mediation, which now requires
move_mount to be allowed in the Apparmor profile. Although it is allowed
for most paths in the /usr/bin/lxc-start profile, move_mount is called
with a file descriptor instead of a path in mountpoint_insert_staged,
thus it is not affected by the allow rules in
/etc/apparmor.d/abstractions/lxc/container-base.

To fix this, introduce a new Apparmor profile to allow move_mount on
every mount, specifically for mount point hotplug.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>

debian/rules		diff \| blob \| blame \| history
src/Makefile		diff \| blob \| blame \| history
src/PVE/LXC.pm		diff \| blob \| blame \| history
src/pve-container-mounthotplug	[new file with mode: 0644]	blob