[lxc-devel] [lxc/master] apparmor: Allow bind-mounts and {r}shared/{r}private
stgraber on Github
lxc-bot at linuxcontainers.org
Thu Jun 23 20:03:23 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 635 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160623/37e2d6e8/attachment.bin>
-------------- next part --------------
From e96e7a1ac7ec693fb5141720cf4d2ec3edcc45c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 23 Jun 2016 16:01:29 -0400
Subject: [PATCH] apparmor: Allow bind-mounts and {r}shared/{r}private
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bind-mounts aren't harmful in containers, so long as they're not used to
bypass MAC policies.
This change allows bind-mounting of any path which isn't a dangerous
filesystem that's otherwise blocked by apparmor.
This also allows switching paths {r}shared or {r}private.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/apparmor/abstractions/container-base | 38 +++++++++++++++++++++-----
config/apparmor/abstractions/container-base.in | 38 +++++++++++++++++++++-----
2 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index fe24ff3..9452f66 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -60,13 +60,6 @@
mount fstype=fuse,
mount fstype=fuse.*,
- # allow bind mount of /lib/init/fstab for lxcguest
- mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
- # allow bind mounts of /run/{,lock} to /var/run/{,lock}
- mount options=(rw, bind) /run/ -> /var/run/,
- mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
@@ -100,6 +93,37 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # allow paths to be made shared, rshared, private or rprivate
+ mount options=(rw,shared) -> /,
+ mount options=(rw,shared) -> /**,
+
+ mount options=(rw,rshared) -> /,
+ mount options=(rw,rshared) -> /**,
+
+ mount options=(rw,private) -> /,
+ mount options=(rw,private) -> /**,
+
+ mount options=(rw,rprivate) -> /,
+ mount options=(rw,rprivate) -> /**,
+
+ # allow bind-mounts of anything except /proc, /sys and /dev
+ mount options=(rw,bind) /[^spd]*{,/**},
+ mount options=(rw,bind) /d[^e]*{,/**},
+ mount options=(rw,bind) /de[^v]*{,/**},
+ mount options=(rw,bind) /dev/.[^l]*{,/**},
+ mount options=(rw,bind) /dev/.l[^x]*{,/**},
+ mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+ mount options=(rw,bind) /dev/.lxc?*{,/**},
+ mount options=(rw,bind) /dev/[^.]*{,/**},
+ mount options=(rw,bind) /dev?*{,/**},
+ mount options=(rw,bind) /p[^r]*{,/**},
+ mount options=(rw,bind) /pr[^o]*{,/**},
+ mount options=(rw,bind) /pro[^c]*{,/**},
+ mount options=(rw,bind) /proc?*{,/**},
+ mount options=(rw,bind) /s[^y]*{,/**},
+ mount options=(rw,bind) /sy[^s]*{,/**},
+ mount options=(rw,bind) /sys?*{,/**},
+
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 550625c..68db43d 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -60,13 +60,6 @@
mount fstype=fuse,
mount fstype=fuse.*,
- # allow bind mount of /lib/init/fstab for lxcguest
- mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
- # allow bind mounts of /run/{,lock} to /var/run/{,lock}
- mount options=(rw, bind) /run/ -> /var/run/,
- mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
@@ -100,3 +93,34 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # allow paths to be made shared, rshared, private or rprivate
+ mount options=(rw,shared) -> /,
+ mount options=(rw,shared) -> /**,
+
+ mount options=(rw,rshared) -> /,
+ mount options=(rw,rshared) -> /**,
+
+ mount options=(rw,private) -> /,
+ mount options=(rw,private) -> /**,
+
+ mount options=(rw,rprivate) -> /,
+ mount options=(rw,rprivate) -> /**,
+
+ # allow bind-mounts of anything except /proc, /sys and /dev
+ mount options=(rw,bind) /[^spd]*{,/**},
+ mount options=(rw,bind) /d[^e]*{,/**},
+ mount options=(rw,bind) /de[^v]*{,/**},
+ mount options=(rw,bind) /dev/.[^l]*{,/**},
+ mount options=(rw,bind) /dev/.l[^x]*{,/**},
+ mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+ mount options=(rw,bind) /dev/.lxc?*{,/**},
+ mount options=(rw,bind) /dev/[^.]*{,/**},
+ mount options=(rw,bind) /dev?*{,/**},
+ mount options=(rw,bind) /p[^r]*{,/**},
+ mount options=(rw,bind) /pr[^o]*{,/**},
+ mount options=(rw,bind) /pro[^c]*{,/**},
+ mount options=(rw,bind) /proc?*{,/**},
+ mount options=(rw,bind) /s[^y]*{,/**},
+ mount options=(rw,bind) /sy[^s]*{,/**},
+ mount options=(rw,bind) /sys?*{,/**},
+
More information about the lxc-devel
mailing list