apparmor: fix rule path pattern specification syntax

author Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)

committer Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)
author Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)
committer Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in

index 2ca4e2f7bbf1c3a0b3eb9c2f21a6afe55d50efa5..0717937c004404e09839cd548a547958552b249b 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -92,14 +92,14 @@
    deny /sys/kernel/debug/{,**} rwklx,
  
    # allow paths to be made slave, shared, private or unbindable
-  mount options=(rw,make-slave) -> **,
-  mount options=(rw,make-rslave) -> **,
-  mount options=(rw,make-shared) -> **,
-  mount options=(rw,make-rshared) -> **,
-  mount options=(rw,make-private) -> **,
-  mount options=(rw,make-rprivate) -> **,
-  mount options=(rw,make-unbindable) -> **,
-  mount options=(rw,make-runbindable) -> **,
+  mount options=(rw,make-slave) -> /**,
+  mount options=(rw,make-rslave) -> /**,
+  mount options=(rw,make-shared) -> /**,
+  mount options=(rw,make-rshared) -> /**,
+  mount options=(rw,make-private) -> /**,
+  mount options=(rw,make-rprivate) -> /**,
+  mount options=(rw,make-unbindable) -> /**,
+  mount options=(rw,make-runbindable) -> /**,
  
    # allow bind-mounts of anything except /proc, /sys and /dev
    mount options=(rw,bind) /[^spd]*{,/**},
diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in

index 4acb1410f841d63ef5ab6d28d3e154df79d8d233..f79cc2be7b2019a3c439c62ad41da7fe4a537f16 100644 (file)
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -15,10 +15,10 @@
    mount fstype=devpts -> /dev/pts/,
    mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
    mount options=bind /dev/pts/** -> /dev/**,
-  mount options=(rw, make-slave) -> **,
-  mount options=(rw, make-rslave) -> **,
-  mount options=(rw, make-shared) -> **,
-  mount options=(rw, make-rshared) -> **,
+  mount options=(rw, make-slave) -> /**,
+  mount options=(rw, make-rslave) -> /**,
+  mount options=(rw, make-shared) -> /**,
+  mount options=(rw, make-rshared) -> /**,
    mount fstype=debugfs,
    mount fstype=fuse.*,
    # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c

index 1d98e2941d9a22c42be463ba73ab0b07afd82354..7da48748d4288f21fc19724a128bc831c09b2fca 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -113,14 +113,14 @@ static const char AA_PROFILE_BASE[] =
  "  deny /sys/kernel/debug/{,**} rwklx,\n"
  "\n"
  "  # allow paths to be made dependent, shared, private or unbindable\n"
-"  mount options=(rw,make-slave) -> **,\n"
-"  mount options=(rw,make-rslave) -> **,\n"
-"  mount options=(rw,make-shared) -> **,\n"
-"  mount options=(rw,make-rshared) -> **,\n"
-"  mount options=(rw,make-private) -> **,\n"
-"  mount options=(rw,make-rprivate) -> **,\n"
-"  mount options=(rw,make-unbindable) -> **,\n"
-"  mount options=(rw,make-runbindable) -> **,\n"
+"  mount options=(rw,make-slave) -> /**,\n"
+"  mount options=(rw,make-rslave) -> /**,\n"
+"  mount options=(rw,make-shared) -> /**,\n"
+"  mount options=(rw,make-rshared) -> /**,\n"
+"  mount options=(rw,make-private) -> /**,\n"
+"  mount options=(rw,make-rprivate) -> /**,\n"
+"  mount options=(rw,make-unbindable) -> /**,\n"
+"  mount options=(rw,make-runbindable) -> /**,\n"
  "\n"
  "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
  "  mount options=(rw,bind) /[^spd]*{,/**},\n"
@@ -336,14 +336,14 @@ static const char AA_PROFILE_UNPRIVILEGED[] =
  "  pivot_root,\n"
  "\n"
  "  # Allow modifying mount propagation\n"
-"  mount options=(rw,make-slave) -> **,\n"
-"  mount options=(rw,make-rslave) -> **,\n"
-"  mount options=(rw,make-shared) -> **,\n"
-"  mount options=(rw,make-rshared) -> **,\n"
-"  mount options=(rw,make-private) -> **,\n"
-"  mount options=(rw,make-rprivate) -> **,\n"
-"  mount options=(rw,make-unbindable) -> **,\n"
-"  mount options=(rw,make-runbindable) -> **,\n"
+"  mount options=(rw,make-slave) -> /**,\n"
+"  mount options=(rw,make-rslave) -> /**,\n"
+"  mount options=(rw,make-shared) -> /**,\n"
+"  mount options=(rw,make-rshared) -> /**,\n"
+"  mount options=(rw,make-private) -> /**,\n"
+"  mount options=(rw,make-rprivate) -> /**,\n"
+"  mount options=(rw,make-unbindable) -> /**,\n"
+"  mount options=(rw,make-runbindable) -> /**,\n"
  "\n"
  "  # Allow all bind-mounts\n"
  "  mount options=(rw,bind),\n"
author	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
	Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)
committer	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
	Tue, 4 Jun 2024 11:28:05 +0000 (13:28 +0200)
config/apparmor/abstractions/container-base.in		patch \| blob \| blame \| history
config/apparmor/abstractions/start-container.in		patch \| blob \| blame \| history
src/lxc/lsm/apparmor.c		patch \| blob \| blame \| history