[lxc-devel] [lxd/master] lxd/apparmor: Allow ro, remount, noatime, bind
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Jan 29 01:56:41 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 478 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200128/6470a6e0/attachment.bin>
-------------- next part --------------
From 1217df396fc19b041c094d1bc1f5082aad2abbcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 28 Jan 2020 20:55:49 -0500
Subject: [PATCH] lxd/apparmor: Allow ro,remount,noatime,bind
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Apparently systemd uses that particular combination now too, so lets add
it to the ever growing list :)
Closes #6799
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/apparmor/apparmor.go | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/lxd/apparmor/apparmor.go b/lxd/apparmor/apparmor.go
index 91e413dcf0..e7119d3cc1 100644
--- a/lxd/apparmor/apparmor.go
+++ b/lxd/apparmor/apparmor.go
@@ -186,6 +186,23 @@ const profileBase = `
mount options=(ro,remount,bind,noexec,nodev) /sy[^s]*{,/**},
mount options=(ro,remount,bind,noexec,nodev) /sys?*{,/**},
+ mount options=(ro,remount,bind,noatime) /[^spd]*{,/**},
+ mount options=(ro,remount,bind,noatime) /d[^e]*{,/**},
+ mount options=(ro,remount,bind,noatime) /de[^v]*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev/.[^l]*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev/.l[^x]*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev/.lx[^c]*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev/.lxc?*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev/[^.]*{,/**},
+ mount options=(ro,remount,bind,noatime) /dev?*{,/**},
+ mount options=(ro,remount,bind,noatime) /p[^r]*{,/**},
+ mount options=(ro,remount,bind,noatime) /pr[^o]*{,/**},
+ mount options=(ro,remount,bind,noatime) /pro[^c]*{,/**},
+ mount options=(ro,remount,bind,noatime) /proc?*{,/**},
+ mount options=(ro,remount,bind,noatime) /s[^y]*{,/**},
+ mount options=(ro,remount,bind,noatime) /sy[^s]*{,/**},
+ mount options=(ro,remount,bind,noatime) /sys?*{,/**},
+
mount options=(ro,remount,bind,nosuid) /[^spd]*{,/**},
mount options=(ro,remount,bind,nosuid) /d[^e]*{,/**},
mount options=(ro,remount,bind,nosuid) /de[^v]*{,/**},
More information about the lxc-devel
mailing list