From 89071ba7b056a480dadca6c27d10955b70dab96c Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Tue, 4 Jun 2024 13:28:05 +0200 Subject: [PATCH] apparmor: fix rule path pattern specification syntax See also: https://bugs.launchpad.net/lxc/+bug/2064144 https://github.com/lxc/incus/pull/889/commits/d2c13e3f6312f08750981a80a510530e881c4ec7 Signed-off-by: Alexander Mikhalitsyn --- .../apparmor/abstractions/container-base.in | 16 +++++----- .../apparmor/abstractions/start-container.in | 8 ++--- src/lxc/lsm/apparmor.c | 32 +++++++++---------- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 2ca4e2f7b..0717937c0 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -92,14 +92,14 @@ deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable - mount options=(rw,make-slave) -> **, - mount options=(rw,make-rslave) -> **, - mount options=(rw,make-shared) -> **, - mount options=(rw,make-rshared) -> **, - mount options=(rw,make-private) -> **, - mount options=(rw,make-rprivate) -> **, - mount options=(rw,make-unbindable) -> **, - mount options=(rw,make-runbindable) -> **, + mount options=(rw,make-slave) -> /**, + mount options=(rw,make-rslave) -> /**, + mount options=(rw,make-shared) -> /**, + mount options=(rw,make-rshared) -> /**, + mount options=(rw,make-private) -> /**, + mount options=(rw,make-rprivate) -> /**, + mount options=(rw,make-unbindable) -> /**, + mount options=(rw,make-runbindable) -> /**, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in index 4acb1410f..f79cc2be7 100644 --- a/config/apparmor/abstractions/start-container.in +++ b/config/apparmor/abstractions/start-container.in @@ -15,10 +15,10 @@ mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, - mount options=(rw, make-slave) -> **, - mount options=(rw, make-rslave) -> **, - mount options=(rw, make-shared) -> **, - mount options=(rw, make-rshared) -> **, + mount options=(rw, make-slave) -> /**, + mount options=(rw, make-rslave) -> /**, + mount options=(rw, make-shared) -> /**, + mount options=(rw, make-rshared) -> /**, mount fstype=debugfs, mount fstype=fuse.*, # allow pre-mount hooks to stage mounts under /var/lib/lxc// diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 1d98e2941..7da48748d 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -113,14 +113,14 @@ static const char AA_PROFILE_BASE[] = " deny /sys/kernel/debug/{,**} rwklx,\n" "\n" " # allow paths to be made dependent, shared, private or unbindable\n" -" mount options=(rw,make-slave) -> **,\n" -" mount options=(rw,make-rslave) -> **,\n" -" mount options=(rw,make-shared) -> **,\n" -" mount options=(rw,make-rshared) -> **,\n" -" mount options=(rw,make-private) -> **,\n" -" mount options=(rw,make-rprivate) -> **,\n" -" mount options=(rw,make-unbindable) -> **,\n" -" mount options=(rw,make-runbindable) -> **,\n" +" mount options=(rw,make-slave) -> /**,\n" +" mount options=(rw,make-rslave) -> /**,\n" +" mount options=(rw,make-shared) -> /**,\n" +" mount options=(rw,make-rshared) -> /**,\n" +" mount options=(rw,make-private) -> /**,\n" +" mount options=(rw,make-rprivate) -> /**,\n" +" mount options=(rw,make-unbindable) -> /**,\n" +" mount options=(rw,make-runbindable) -> /**,\n" "\n" " # allow bind-mounts of anything except /proc, /sys and /dev\n" " mount options=(rw,bind) /[^spd]*{,/**},\n" @@ -336,14 +336,14 @@ static const char AA_PROFILE_UNPRIVILEGED[] = " pivot_root,\n" "\n" " # Allow modifying mount propagation\n" -" mount options=(rw,make-slave) -> **,\n" -" mount options=(rw,make-rslave) -> **,\n" -" mount options=(rw,make-shared) -> **,\n" -" mount options=(rw,make-rshared) -> **,\n" -" mount options=(rw,make-private) -> **,\n" -" mount options=(rw,make-rprivate) -> **,\n" -" mount options=(rw,make-unbindable) -> **,\n" -" mount options=(rw,make-runbindable) -> **,\n" +" mount options=(rw,make-slave) -> /**,\n" +" mount options=(rw,make-rslave) -> /**,\n" +" mount options=(rw,make-shared) -> /**,\n" +" mount options=(rw,make-rshared) -> /**,\n" +" mount options=(rw,make-private) -> /**,\n" +" mount options=(rw,make-rprivate) -> /**,\n" +" mount options=(rw,make-unbindable) -> /**,\n" +" mount options=(rw,make-runbindable) -> /**,\n" "\n" " # Allow all bind-mounts\n" " mount options=(rw,bind),\n" -- 2.47.3