fix #5160: fix move_mount regression for mount point hotplug

Set up an Apparmor profile to allow moving mounts for mount point
hotplug.

This fixes a regression caused by
kernel commit 157a3537d6 ("apparmor: Fix regression in mount mediation")

The commit introduced move_mount mediation, which now requires
move_mount to be allowed in the Apparmor profile. Although it is allowed
for most paths in the /usr/bin/lxc-start profile, move_mount is called
with a file descriptor instead of a path in mountpoint_insert_staged,
thus it is not affected by the allow rules in
/etc/apparmor.d/abstractions/lxc/container-base.

To fix this, introduce a new Apparmor profile to allow move_mount on
every mount, specifically for mount point hotplug.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>

diff --git a/debian/rules b/debian/rules
index d9991520dafda68c382efaacb678b47191b62915..f7edccf28afb05a4d55a26765f7ba49082c497de 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -14,3 +14,6 @@
 
 override_dh_installsystemd:
        dh_installsystemd -ppve-container --no-start --no-enable --no-restart-after-upgrade -r 'system-pve\x2dcontainer.slice'
+
+override_dh_install:
+       dh_apparmor -p pve-container --profile-name=pve-container-mounthotplug

diff --git a/src/Makefile b/src/Makefile
index 5a7a82e13a5a71aed72f4dd6ec849fde7823d415..e0b7734c177ed5903edd805226c7c22b54ffefaa 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -4,6 +4,7 @@ PREFIX=${DESTDIR}/usr
 BINDIR=${PREFIX}/bin
 LIBDIR=${PREFIX}/lib
 SBINDIR=${PREFIX}/sbin
+ETCDIR=${DESTDIR}/etc
 MANDIR=${PREFIX}/share/man
 DOCDIR=${PREFIX}/share/doc/${PACKAGE}
 LXC_SCRIPT_DIR=${PREFIX}/share/lxc
@@ -13,6 +14,7 @@ LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config
 LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d
 LXC_USERNS_CONFIG_DIR=${LXC_CONFIG_DIR}/userns.conf.d
 SERVICEDIR=${DESTDIR}/lib/systemd/system
+APPARMORDDIR=${ETCDIR}/apparmor.d
 PODDIR=${DOCDIR}/pod
 MAN1DIR=${MANDIR}/man1/
 MAN5DIR=${MANDIR}/man5/
@@ -73,6 +75,7 @@ install: pct lxc-pve.conf pct.1 pct.conf.5 pct.bash-completion pct.zsh-completio
        gzip -9 ${MAN5DIR}/pct.conf.5
        cd ${MAN5DIR}; ln -s pct.conf.5.gz ct.conf.5.gz
        install -D -m 0644 10-pve-ct-inotify-limits.conf ${LIBDIR}/sysctl.d/10-pve-ct-inotify-limits.conf
+       install -D -m 0644 pve-container-mounthotplug ${APPARMORDDIR}/pve-container-mounthotplug
 
 pve-userns.seccomp: /usr/share/lxc/config/common.seccomp
        cp $< $@

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 7883cfb990a2d940f0796e89a83aa48cadd8501d..7db48335200d9a9e319ddaddf8d09f6376fdac89 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1974,7 +1974,7 @@ sub mountpoint_hotplug :prototype($$$$$) {
        my $dir = get_staging_mount_path($opt);
 
        # Now switch our apparmor profile before mounting:
-       my $data = 'changeprofile /usr/bin/lxc-start';
+       my $data = 'changeprofile pve-container-mounthotplug';
        if (syswrite($aa_fd, $data, length($data)) != length($data)) {
            die "failed to change apparmor profile: $!\n";
        }

diff --git a/src/pve-container-mounthotplug b/src/pve-container-mounthotplug
new file mode 100644 (file)
index 0000000..e6f3903
--- /dev/null
+++ b/src/pve-container-mounthotplug
@@ -0,0 +1,7 @@
+#include <tunables/global>
+
+profile pve-container-mounthotplug flags=(attach_disconnected) {
+  #include <abstractions/lxc/start-container>
+
+  mount options=(move),
+}