[lxc-devel] [lxd/master] lxd/apparmor: Allow ro bind-mounts and remounts

stgraber on Github lxc-bot at linuxcontainers.org
Wed Jun 27 20:03:25 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180627/e92fdd57/attachment.bin>
-------------- next part --------------
From ff536dad2a3a68dd8deae0343ed335a0fdde8df1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Jun 2018 16:02:39 -0400
Subject: [PATCH] lxd/apparmor: Allow ro bind-mounts and remounts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index d38e969df..7834f73bd 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -128,6 +128,24 @@ const AA_PROFILE_BASE = `
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow read-only bind-mounts of anything except /proc, /sys and /dev
+  mount options=(ro,remount,bind) -> /[^spd]*{,/**},
+  mount options=(ro,remount,bind) -> /d[^e]*{,/**},
+  mount options=(ro,remount,bind) -> /de[^v]*{,/**},
+  mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},
+  mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},
+  mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},
+  mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},
+  mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},
+  mount options=(ro,remount,bind) -> /dev?*{,/**},
+  mount options=(ro,remount,bind) -> /p[^r]*{,/**},
+  mount options=(ro,remount,bind) -> /pr[^o]*{,/**},
+  mount options=(ro,remount,bind) -> /pro[^c]*{,/**},
+  mount options=(ro,remount,bind) -> /proc?*{,/**},
+  mount options=(ro,remount,bind) -> /s[^y]*{,/**},
+  mount options=(ro,remount,bind) -> /sy[^s]*{,/**},
+  mount options=(ro,remount,bind) -> /sys?*{,/**},
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},
@@ -251,6 +269,7 @@ const AA_PROFILE_NESTING = `
 const AA_PROFILE_UNPRIVILEGED = `
   pivot_root,
 
+  # Allow modifying mount propagation
   mount options=(rw,make-slave) -> **,
   mount options=(rw,make-rslave) -> **,
   mount options=(rw,make-shared) -> **,
@@ -260,8 +279,12 @@ const AA_PROFILE_UNPRIVILEGED = `
   mount options=(rw,make-unbindable) -> **,
   mount options=(rw,make-runbindable) -> **,
 
+  # Allow all bind-mounts
   mount options=(rw,bind),
   mount options=(rw,rbind),
+
+  # Allow remounting things read-only
+  mount options=(ro,remount),
 `
 
 func mkApparmorName(name string) string {

More information about the lxc-devel mailing list