[lxc-devel] [lxc/lxc] e6ec0a: apparmor: allow various remount, bind options
GitHub
noreply at github.com
Fri Nov 16 16:18:38 UTC 2018
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: e6ec0a9e71aa68c9fd67c691a62aaae87e356cef
https://github.com/lxc/lxc/commit/e6ec0a9e71aa68c9fd67c691a62aaae87e356cef
Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
Date: 2018-11-16 (Fri, 16 Nov 2018)
Changed paths:
M config/apparmor/abstractions/container-base
M config/apparmor/abstractions/container-base.in
M src/lxc/lsm/apparmor.c
Log Message:
-----------
apparmor: allow various remount,bind options
RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.
Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Commit: ac7148050126cc3cd9872007c5ea69cad44baa91
https://github.com/lxc/lxc/commit/ac7148050126cc3cd9872007c5ea69cad44baa91
Author: Christian Brauner <christian at brauner.io>
Date: 2018-11-16 (Fri, 16 Nov 2018)
Changed paths:
M config/apparmor/abstractions/container-base
M config/apparmor/abstractions/container-base.in
M src/lxc/lsm/apparmor.c
Log Message:
-----------
Merge pull request #2727 from Blub/2018-11-16/apparmor.ro-bind-remount-combinations
apparmor: allow various remount,bind options
Compare: https://github.com/lxc/lxc/compare/c891ab355ba1...ac7148050126
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the lxc-devel
mailing list