apparmor: use /{,**} instead of /**

It turned out, that old (and incorrect) rule:
mount options=(rw,make-slave) -> **,

is NOT equivalent to:
mount options=(rw,make-slave) -> /**,

Let's use:
mount options=(rw,make-slave) -> /{,**},

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 0717937c004404e09839cd548a547958552b249b..87982fda3d044139dc4de84c175bda8c0730bf8d 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -92,14 +92,14 @@
   deny /sys/kernel/debug/{,**} rwklx,
 
   # allow paths to be made slave, shared, private or unbindable
-  mount options=(rw,make-slave) -> /**,
-  mount options=(rw,make-rslave) -> /**,
-  mount options=(rw,make-shared) -> /**,
-  mount options=(rw,make-rshared) -> /**,
-  mount options=(rw,make-private) -> /**,
-  mount options=(rw,make-rprivate) -> /**,
-  mount options=(rw,make-unbindable) -> /**,
-  mount options=(rw,make-runbindable) -> /**,
+  mount options=(rw,make-slave) -> /{,**},
+  mount options=(rw,make-rslave) -> /{,**},
+  mount options=(rw,make-shared) -> /{,**},
+  mount options=(rw,make-rshared) -> /{,**},
+  mount options=(rw,make-private) -> /{,**},
+  mount options=(rw,make-rprivate) -> /{,**},
+  mount options=(rw,make-unbindable) -> /{,**},
+  mount options=(rw,make-runbindable) -> /{,**},
 
   # allow bind-mounts of anything except /proc, /sys and /dev
   mount options=(rw,bind) /[^spd]*{,/**},

diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
index f79cc2be7b2019a3c439c62ad41da7fe4a537f16..20c852925c7d1875156c05215ad0b43d968739f3 100644 (file)
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -15,10 +15,10 @@
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
-  mount options=(rw, make-slave) -> /**,
-  mount options=(rw, make-rslave) -> /**,
-  mount options=(rw, make-shared) -> /**,
-  mount options=(rw, make-rshared) -> /**,
+  mount options=(rw, make-slave) -> /{,**},
+  mount options=(rw, make-rslave) -> /{,**},
+  mount options=(rw, make-shared) -> /{,**},
+  mount options=(rw, make-rshared) -> /{,**},
   mount fstype=debugfs,
   mount fstype=fuse.*,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 7da48748d4288f21fc19724a128bc831c09b2fca..d6516ae9f5dbe54909801ae7e1dd156876b3ad12 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -113,14 +113,14 @@ static const char AA_PROFILE_BASE[] =
 "  deny /sys/kernel/debug/{,**} rwklx,\n"
 "\n"
 "  # allow paths to be made dependent, shared, private or unbindable\n"
-"  mount options=(rw,make-slave) -> /**,\n"
-"  mount options=(rw,make-rslave) -> /**,\n"
-"  mount options=(rw,make-shared) -> /**,\n"
-"  mount options=(rw,make-rshared) -> /**,\n"
-"  mount options=(rw,make-private) -> /**,\n"
-"  mount options=(rw,make-rprivate) -> /**,\n"
-"  mount options=(rw,make-unbindable) -> /**,\n"
-"  mount options=(rw,make-runbindable) -> /**,\n"
+"  mount options=(rw,make-slave) -> /{,**},\n"
+"  mount options=(rw,make-rslave) -> /{,**},\n"
+"  mount options=(rw,make-shared) -> /{,**},\n"
+"  mount options=(rw,make-rshared) -> /{,**},\n"
+"  mount options=(rw,make-private) -> /{,**},\n"
+"  mount options=(rw,make-rprivate) -> /{,**},\n"
+"  mount options=(rw,make-unbindable) -> /{,**},\n"
+"  mount options=(rw,make-runbindable) -> /{,**},\n"
 "\n"
 "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
 "  mount options=(rw,bind) /[^spd]*{,/**},\n"
@@ -336,14 +336,14 @@ static const char AA_PROFILE_UNPRIVILEGED[] =
 "  pivot_root,\n"
 "\n"
 "  # Allow modifying mount propagation\n"
-"  mount options=(rw,make-slave) -> /**,\n"
-"  mount options=(rw,make-rslave) -> /**,\n"
-"  mount options=(rw,make-shared) -> /**,\n"
-"  mount options=(rw,make-rshared) -> /**,\n"
-"  mount options=(rw,make-private) -> /**,\n"
-"  mount options=(rw,make-rprivate) -> /**,\n"
-"  mount options=(rw,make-unbindable) -> /**,\n"
-"  mount options=(rw,make-runbindable) -> /**,\n"
+"  mount options=(rw,make-slave) -> /{,**},\n"
+"  mount options=(rw,make-rslave) -> /{,**},\n"
+"  mount options=(rw,make-shared) -> /{,**},\n"
+"  mount options=(rw,make-rshared) -> /{,**},\n"
+"  mount options=(rw,make-private) -> /{,**},\n"
+"  mount options=(rw,make-rprivate) -> /{,**},\n"
+"  mount options=(rw,make-unbindable) -> /{,**},\n"
+"  mount options=(rw,make-runbindable) -> /{,**},\n"
 "\n"
 "  # Allow all bind-mounts\n"
 "  mount options=(rw,bind),\n"