Skip to content

L
lxc
Unverified Commit 0d585e47 by Christian Brauner Committed by GitHub
Options

Merge pull request #2758 from Blub/2018-12-17/stable-3.0/apparmor-bind-remount

apparmor: allow various remount,bind options
parents 51a9e74b 1cc28d37
Showing with 20 additions and 1 deletion
config/apparmor/abstractions/container-base
......@@ -120,6 +120,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow various ro-bind-*re*-mounts
mount options=(ro,remount,bind),
mount options=(ro,remount,bind,nosuid),
mount options=(ro,remount,bind,noexec),
mount options=(ro,remount,bind,nodev),
mount options=(ro,remount,bind,nosuid,noexec),
mount options=(ro,remount,bind,noexec,nodev),
mount options=(ro,remount,bind,nodev,nosuid),
mount options=(ro,remount,bind,nosuid,noexec,nodev),
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
......
config/apparmor/abstractions/container-base.in
......@@ -119,6 +119,16 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow various ro-bind-*re*-mounts
mount options=(ro,remount,bind),
mount options=(ro,remount,bind,nosuid),
mount options=(ro,remount,bind,noexec),
mount options=(ro,remount,bind,nodev),
mount options=(ro,remount,bind,nosuid,noexec),
mount options=(ro,remount,bind,noexec,nodev),
mount options=(ro,remount,bind,nodev,nosuid),
mount options=(ro,remount,bind,nosuid,noexec,nodev),
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
......@@ -136,4 +146,3 @@
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment