[lxc-devel] [lxc/lxc] 1cc28d: apparmor: allow various remount, bind options

GitHub noreply at github.com
Mon Dec 17 11:06:59 UTC 2018


  Branch: refs/heads/stable-3.0
  Home:   https://github.com/lxc/lxc
  Commit: 1cc28d37b7b74c45e5e11a5aa09cc0103a8510b7
      https://github.com/lxc/lxc/commit/1cc28d37b7b74c45e5e11a5aa09cc0103a8510b7
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-12-17 (Mon, 17 Dec 2018)

  Changed paths:
    M config/apparmor/abstractions/container-base
    M config/apparmor/abstractions/container-base.in

  Log Message:
  -----------
  apparmor: allow various remount,bind options

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
(cherry picked from commit e6ec0a9e71aa68c9fd67c691a62aaae87e356cef)


  Commit: 0d585e472c41442a3671ae6ad6907d082cc012d0
      https://github.com/lxc/lxc/commit/0d585e472c41442a3671ae6ad6907d082cc012d0
  Author: Christian Brauner <christian at brauner.io>
  Date:   2018-12-17 (Mon, 17 Dec 2018)

  Changed paths:
    M config/apparmor/abstractions/container-base
    M config/apparmor/abstractions/container-base.in

  Log Message:
  -----------
  Merge pull request #2758 from Blub/2018-12-17/stable-3.0/apparmor-bind-remount

apparmor: allow various remount,bind options


Compare: https://github.com/lxc/lxc/compare/51a9e74bae81...0d585e472c41
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.


More information about the lxc-devel mailing list