[lxc-devel] [PATCH v2 lxc 1/2] AppArmor: add make-rslave to usr.bin.lxc-start

Stéphane Graber stgraber at ubuntu.com
Mon Jun 27 20:20:34 UTC 2016 

On Sat, Jun 25, 2016 at 10:12:26PM -0400, Stéphane Graber wrote:
> On Thu, Jun 23, 2016 at 11:04:20AM +0200, Wolfgang Bumiller wrote:
> > On Thu, Jun 23, 2016 at 09:52:02AM +0200, Wolfgang Bumiller wrote:
> > > Just noticed this one of the two patches is still applied.
> > 
> > I meant *not* applied... sorry :\
> 
> My recent apparmor change allows shared, private, rshared and rprivate
> mounts for any path inside the container. I wonder if that's somehow
> enough or if we also need to have specific rules for
> make-{r}{private,shared}.

So it turns out I just had to revert this change because apparmor is
currently buggy and when you allow any of the make-* stuff it also
allows all other mounts, including very dangerous things like "mount -t
proc proc /mnt", bypassing all apparmor restrictions.

So I've got all the rules in container-base commented for now.

Your request was about start-container though which already has
make-slave in there anyway, so I'll be merging that patch now.

> 
> > 
> > > 
> > > On Mon, Nov 30, 2015 at 08:58:52AM +0100, Wolfgang Bumiller wrote:
> > > > The profile already contains
> > > >   mount options=(rw, make-slave) -> **,
> > > > 
> > > > Which allows going through all mountpoints with make-slave,
> > > > so it seems to make sense to also allow the directly
> > > > recursive variant with "make-rslave".
> > > > 
> > > > Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> > > > Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> > > > ---
> > > >  config/apparmor/abstractions/start-container | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > > 
> > > > diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
> > > > index b06a84d..eee0c2f 100644
> > > > --- a/config/apparmor/abstractions/start-container
> > > > +++ b/config/apparmor/abstractions/start-container
> > > > @@ -15,6 +15,7 @@
> > > >    mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
> > > >    mount options=bind /dev/pts/** -> /dev/**,
> > > >    mount options=(rw, make-slave) -> **,
> > > > +  mount options=(rw, make-rslave) -> **,
> > > >    mount fstype=debugfs,
> > > >    # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
> > > >    mount -> /var/lib/lxc/{**,},
> > > > -- 
> > > > 2.1.4
> > > > 
> > > > 
> > > > _______________________________________________
> > > > lxc-devel mailing list
> > > > lxc-devel at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160627/cb124428/attachment.sig>

More information about the lxc-devel mailing list