From: Alexander Mikhalitsyn Date: Tue, 4 Jun 2024 11:28:05 +0000 (+0200) Subject: apparmor: fix rule path pattern specification syntax X-Git-Tag: v6.0.1~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89071ba7b056a480dadca6c27d10955b70dab96c;p=thirdparty%2Flxc.git apparmor: fix rule path pattern specification syntax See also: https://bugs.launchpad.net/lxc/+bug/2064144 https://github.com/lxc/incus/pull/889/commits/d2c13e3f6312f08750981a80a510530e881c4ec7 Signed-off-by: Alexander Mikhalitsyn --- diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 2ca4e2f7b..0717937c0 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -92,14 +92,14 @@ deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable - mount options=(rw,make-slave) -> **, - mount options=(rw,make-rslave) -> **, - mount options=(rw,make-shared) -> **, - mount options=(rw,make-rshared) -> **, - mount options=(rw,make-private) -> **, - mount options=(rw,make-rprivate) -> **, - mount options=(rw,make-unbindable) -> **, - mount options=(rw,make-runbindable) -> **, + mount options=(rw,make-slave) -> /**, + mount options=(rw,make-rslave) -> /**, + mount options=(rw,make-shared) -> /**, + mount options=(rw,make-rshared) -> /**, + mount options=(rw,make-private) -> /**, + mount options=(rw,make-rprivate) -> /**, + mount options=(rw,make-unbindable) -> /**, + mount options=(rw,make-runbindable) -> /**, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in index 4acb1410f..f79cc2be7 100644 --- a/config/apparmor/abstractions/start-container.in +++ b/config/apparmor/abstractions/start-container.in @@ -15,10 +15,10 @@ mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, - mount options=(rw, make-slave) -> **, - mount options=(rw, make-rslave) -> **, - mount options=(rw, make-shared) -> **, - mount options=(rw, make-rshared) -> **, + mount options=(rw, make-slave) -> /**, + mount options=(rw, make-rslave) -> /**, + mount options=(rw, make-shared) -> /**, + mount options=(rw, make-rshared) -> /**, mount fstype=debugfs, mount fstype=fuse.*, # allow pre-mount hooks to stage mounts under /var/lib/lxc// diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 1d98e2941..7da48748d 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -113,14 +113,14 @@ static const char AA_PROFILE_BASE[] = " deny /sys/kernel/debug/{,**} rwklx,\n" "\n" " # allow paths to be made dependent, shared, private or unbindable\n" -" mount options=(rw,make-slave) -> **,\n" -" mount options=(rw,make-rslave) -> **,\n" -" mount options=(rw,make-shared) -> **,\n" -" mount options=(rw,make-rshared) -> **,\n" -" mount options=(rw,make-private) -> **,\n" -" mount options=(rw,make-rprivate) -> **,\n" -" mount options=(rw,make-unbindable) -> **,\n" -" mount options=(rw,make-runbindable) -> **,\n" +" mount options=(rw,make-slave) -> /**,\n" +" mount options=(rw,make-rslave) -> /**,\n" +" mount options=(rw,make-shared) -> /**,\n" +" mount options=(rw,make-rshared) -> /**,\n" +" mount options=(rw,make-private) -> /**,\n" +" mount options=(rw,make-rprivate) -> /**,\n" +" mount options=(rw,make-unbindable) -> /**,\n" +" mount options=(rw,make-runbindable) -> /**,\n" "\n" " # allow bind-mounts of anything except /proc, /sys and /dev\n" " mount options=(rw,bind) /[^spd]*{,/**},\n" @@ -336,14 +336,14 @@ static const char AA_PROFILE_UNPRIVILEGED[] = " pivot_root,\n" "\n" " # Allow modifying mount propagation\n" -" mount options=(rw,make-slave) -> **,\n" -" mount options=(rw,make-rslave) -> **,\n" -" mount options=(rw,make-shared) -> **,\n" -" mount options=(rw,make-rshared) -> **,\n" -" mount options=(rw,make-private) -> **,\n" -" mount options=(rw,make-rprivate) -> **,\n" -" mount options=(rw,make-unbindable) -> **,\n" -" mount options=(rw,make-runbindable) -> **,\n" +" mount options=(rw,make-slave) -> /**,\n" +" mount options=(rw,make-rslave) -> /**,\n" +" mount options=(rw,make-shared) -> /**,\n" +" mount options=(rw,make-rshared) -> /**,\n" +" mount options=(rw,make-private) -> /**,\n" +" mount options=(rw,make-rprivate) -> /**,\n" +" mount options=(rw,make-unbindable) -> /**,\n" +" mount options=(rw,make-runbindable) -> /**,\n" "\n" " # Allow all bind-mounts\n" " mount options=(rw,bind),\n"