The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2758
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.
Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
(cherry picked from commit e6ec0a9e71aa68c9fd67c691a62aaae87e356cef)
From 1cc28d37b7b74c45e5e11a5aa09cc0103a8510b7 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Thu, 15 Nov 2018 11:51:34 +0100
Subject: [PATCH] apparmor: allow various remount,bind options
RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.
Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
(cherry picked from commit e6ec0a9e71aa68c9fd67c691a62aaae87e356cef)
---
config/apparmor/abstractions/container-base | 10 ++++++++++
config/apparmor/abstractions/container-base.in | 11 ++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/config/apparmor/abstractions/container-base
b/config/apparmor/abstractions/container-base
index a5e6c35f60..0774765594 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -120,6 +120,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow various ro-bind-*re*-mounts
+ mount options=(ro,remount,bind),
+ mount options=(ro,remount,bind,nosuid),
+ mount options=(ro,remount,bind,noexec),
+ mount options=(ro,remount,bind,nodev),
+ mount options=(ro,remount,bind,nosuid,noexec),
+ mount options=(ro,remount,bind,noexec,nodev),
+ mount options=(ro,remount,bind,nodev,nosuid),
+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in
b/config/apparmor/abstractions/container-base.in
index 11ec5c45b9..1a3ead89ad 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -119,6 +119,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow various ro-bind-*re*-mounts
+ mount options=(ro,remount,bind),
+ mount options=(ro,remount,bind,nosuid),
+ mount options=(ro,remount,bind,noexec),
+ mount options=(ro,remount,bind,nodev),
+ mount options=(ro,remount,bind,nosuid,noexec),
+ mount options=(ro,remount,bind,noexec,nodev),
+ mount options=(ro,remount,bind,nodev,nosuid),
+ mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
@@ -136,4 +146,3 @@
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
-
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
