The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2727
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.
Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller
From e6ec0a9e71aa68c9fd67c691a62aaae87e356cef Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller
Date: Thu, 15 Nov 2018 11:51:34 +0100
Subject: [PATCH] apparmor: allow various remount,bind options
RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.
Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller
---
config/apparmor/abstractions/container-base | 10 +++
.../apparmor/abstractions/container-base.in | 11 +++-
src/lxc/lsm/apparmor.c| 26 +++
3 files changed, 29 insertions(+), 18 deletions(-)
diff --git a/config/apparmor/abstractions/container-base
b/config/apparmor/abstractions/container-base
index a5e6c35f6..077476559 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -120,6 +120,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow various ro-bind-*re*-mounts
+ mount options=(ro,remount,bind),
+ mount options=(ro,remount,bind,nosuid),
+ mount options=(ro,remount,bind,noexec),
+ mount options=(ro,remount,bind,nodev),
+ mount options=(ro,remount,bind,nosuid,noexec),
+ mount options=(ro,remount,bind,noexec,nodev),
+ mount options=(ro,remount,bind,nodev,nosuid),
+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in
b/config/apparmor/abstractions/container-base.in
index 11ec5c45b..1a3ead89a 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -119,6 +119,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow various ro-bind-*re*-mounts
+ mount options=(ro,remount,bind),
+ mount options=(ro,remount,bind,nosuid),
+ mount options=(ro,remount,bind,noexec),
+ mount options=(ro,remount,bind,nodev),
+ mount options=(ro,remount,bind,nosuid,noexec),
+ mount options=(ro,remount,bind,noexec,nodev),
+ mount options=(ro,remount,bind,nodev,nosuid),
+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
@@ -136,4 +146,3 @@
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
-
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6371ab59b..e32b12531 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -167,23 +167,15 @@ static const char AA_PROFILE_BASE[] =
" mount options=(rw,bind) /sy[^s]*{,/**},\n"
" mount options=(rw,bind) /sys?*{,/**},\n"
"\n"
-" # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
-" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
-" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
-" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
-" mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
+" # allow various ro-bind-*re*-mounts\n"
+" mount options=(ro,remount,bind),\n"
+" mount options=(ro,remount,bind,nosuid),\n"
+" mount options=(ro,remount,bind,noe
