Skip to content

L
lxc
Commit e96e7a1a by Stéphane Graber
Options

apparmor: Allow bind-mounts and {r}shared/{r}private

Bind-mounts aren't harmful in containers, so long as they're not used to bypass MAC policies. This change allows bind-mounting of any path which isn't a dangerous filesystem that's otherwise blocked by apparmor. This also allows switching paths {r}shared or {r}private. Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent f6578a7b
Showing with 62 additions and 14 deletions
config/apparmor/abstractions/container-base
......@@ -60,13 +60,6 @@
mount fstype=fuse,
mount fstype=fuse.*,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# allow bind mounts of /run/{,lock} to /var/run/{,lock}
mount options=(rw, bind) /run/ -> /var/run/,
mount options=(rw, bind) /run/lock/ -> /var/lock/,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
......@@ -100,6 +93,37 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made shared, rshared, private or rprivate
mount options=(rw,shared) -> /,
mount options=(rw,shared) -> /**,
mount options=(rw,rshared) -> /,
mount options=(rw,rshared) -> /**,
mount options=(rw,private) -> /,
mount options=(rw,private) -> /**,
mount options=(rw,rprivate) -> /,
mount options=(rw,rprivate) -> /**,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
......
config/apparmor/abstractions/container-base.in
......@@ -60,13 +60,6 @@
mount fstype=fuse,
mount fstype=fuse.*,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# allow bind mounts of /run/{,lock} to /var/run/{,lock}
mount options=(rw, bind) /run/ -> /var/run/,
mount options=(rw, bind) /run/lock/ -> /var/lock/,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
......@@ -100,3 +93,34 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made shared, rshared, private or rprivate
mount options=(rw,shared) -> /,
mount options=(rw,shared) -> /**,
mount options=(rw,rshared) -> /,
mount options=(rw,rshared) -> /**,
mount options=(rw,private) -> /,
mount options=(rw,private) -> /**,
mount options=(rw,rprivate) -> /,
mount options=(rw,rprivate) -> /**,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment