[lxc-devel] [lxc/master] More apparmor tweaks
stgraber on Github
lxc-bot at linuxcontainers.org
Mon Jun 27 19:15:40 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160627/6699435c/attachment.bin>
-------------- next part --------------
From af5f70c4b52732b25941766c1f7004595eebd49e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Jun 2016 15:11:16 -0400
Subject: [PATCH 1/2] apparmor: allow mount move
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/apparmor/abstractions/container-base | 18 ++++++++++++++++++
config/apparmor/abstractions/container-base.in | 18 ++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 9452f66..7533fdb 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -124,6 +124,24 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow moving mounts except for /proc, /sys and /dev
+ mount options=(rw,move) /[^spd]*{,/**},
+ mount options=(rw,move) /d[^e]*{,/**},
+ mount options=(rw,move) /de[^v]*{,/**},
+ mount options=(rw,move) /dev/.[^l]*{,/**},
+ mount options=(rw,move) /dev/.l[^x]*{,/**},
+ mount options=(rw,move) /dev/.lx[^c]*{,/**},
+ mount options=(rw,move) /dev/.lxc?*{,/**},
+ mount options=(rw,move) /dev/[^.]*{,/**},
+ mount options=(rw,move) /dev?*{,/**},
+ mount options=(rw,move) /p[^r]*{,/**},
+ mount options=(rw,move) /pr[^o]*{,/**},
+ mount options=(rw,move) /pro[^c]*{,/**},
+ mount options=(rw,move) /proc?*{,/**},
+ mount options=(rw,move) /s[^y]*{,/**},
+ mount options=(rw,move) /sy[^s]*{,/**},
+ mount options=(rw,move) /sys?*{,/**},
+
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 68db43d..022d04d 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -124,3 +124,21 @@
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
+ # allow moving mounts except for /proc, /sys and /dev
+ mount options=(rw,move) /[^spd]*{,/**},
+ mount options=(rw,move) /d[^e]*{,/**},
+ mount options=(rw,move) /de[^v]*{,/**},
+ mount options=(rw,move) /dev/.[^l]*{,/**},
+ mount options=(rw,move) /dev/.l[^x]*{,/**},
+ mount options=(rw,move) /dev/.lx[^c]*{,/**},
+ mount options=(rw,move) /dev/.lxc?*{,/**},
+ mount options=(rw,move) /dev/[^.]*{,/**},
+ mount options=(rw,move) /dev?*{,/**},
+ mount options=(rw,move) /p[^r]*{,/**},
+ mount options=(rw,move) /pr[^o]*{,/**},
+ mount options=(rw,move) /pro[^c]*{,/**},
+ mount options=(rw,move) /proc?*{,/**},
+ mount options=(rw,move) /s[^y]*{,/**},
+ mount options=(rw,move) /sy[^s]*{,/**},
+ mount options=(rw,move) /sys?*{,/**},
+
From efab898b55a1e1eeb01e2e9c36d4716cc1cc6191 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Jun 2016 15:15:15 -0400
Subject: [PATCH 2/2] apparmor: Allow all the mount states
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/apparmor/abstractions/container-base | 21 +++++++++------------
config/apparmor/abstractions/container-base.in | 21 +++++++++------------
2 files changed, 18 insertions(+), 24 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 7533fdb..0aacb6a 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,18 +93,15 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
- # allow paths to be made shared, rshared, private or rprivate
- mount options=(rw,shared) -> /,
- mount options=(rw,shared) -> /**,
-
- mount options=(rw,rshared) -> /,
- mount options=(rw,rshared) -> /**,
-
- mount options=(rw,private) -> /,
- mount options=(rw,private) -> /**,
-
- mount options=(rw,rprivate) -> /,
- mount options=(rw,rprivate) -> /**,
+ # allow paths to be made slave, shared, private or unbindable
+ mount options=(rw,make-slave) -> **,
+ mount options=(rw,make-rslave) -> **,
+ mount options=(rw,make-shared) -> **,
+ mount options=(rw,make-rshared) -> **,
+ mount options=(rw,make-private) -> **,
+ mount options=(rw,make-rprivate) -> **,
+ mount options=(rw,make-unbindable) -> **,
+ mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 022d04d..efeab82 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,18 +93,15 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
- # allow paths to be made shared, rshared, private or rprivate
- mount options=(rw,shared) -> /,
- mount options=(rw,shared) -> /**,
-
- mount options=(rw,rshared) -> /,
- mount options=(rw,rshared) -> /**,
-
- mount options=(rw,private) -> /,
- mount options=(rw,private) -> /**,
-
- mount options=(rw,rprivate) -> /,
- mount options=(rw,rprivate) -> /**,
+ # allow paths to be made slave, shared, private or unbindable
+ mount options=(rw,make-slave) -> **,
+ mount options=(rw,make-rslave) -> **,
+ mount options=(rw,make-shared) -> **,
+ mount options=(rw,make-rshared) -> **,
+ mount options=(rw,make-private) -> **,
+ mount options=(rw,make-rprivate) -> **,
+ mount options=(rw,make-unbindable) -> **,
+ mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
More information about the lxc-devel
mailing list