[lxc-devel] [lxd/master] lxd/apparmor/apparmor.go: allow listing of binfmt_misc mount
BryanQuigley on Github
lxc-bot at linuxcontainers.org
Wed May 13 00:51:50 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 896 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200512/9fcb87a2/attachment.bin>
-------------- next part --------------
From ef796c728ad835cc970ec3563352edfca0c925da Mon Sep 17 00:00:00 2001
From: Bryan Quigley <bryan.quigley at canonical.com>
Date: Tue, 12 May 2020 17:40:43 -0700
Subject: [PATCH] lxd/apparmor/apparmor.go: allow listing of binfmt_misc mount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The information on what files exist there is already available if
you brute force and use stat:
$ stat /proc/sys/fs/binfmt_misc/status
stat: cannot stat ‘/proc/sys/fs/binfmt_misc/statu’: No such file or directory
$ stat /proc/sys/fs/binfmt_misc/status
File: ‘/proc/sys/fs/binfmt_misc/status’ ...
Since the majority of files that exist in binfmt_misc are well known names, it
doesn't provide any security advantages IMHO. This does still result in access
denied to the files inside the mount.
Closes: #5688
Signed-off-by: Bryan Quigley <bryan.quigley at canonical.com>
---
lxd/apparmor/apparmor.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/apparmor/apparmor.go b/lxd/apparmor/apparmor.go
index ceec2dece0..90a83c61af 100644
--- a/lxd/apparmor/apparmor.go
+++ b/lxd/apparmor/apparmor.go
@@ -48,7 +48,7 @@ const profileBase = `
# Handle binfmt
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
- deny /proc/sys/fs/binfmt_misc/{,**} rwklx,
+ deny /proc/sys/fs/binfmt_misc/** rwklx,
# Handle cgroupfs
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
More information about the lxc-devel
mailing list