apparmor: Update mount states handling

author Stéphane Graber <stgraber@ubuntu.com>

Mon, 27 Jun 2016 19:15:15 +0000 (15:15 -0400)

committer Stéphane Graber <stgraber@ubuntu.com>

Mon, 27 Jun 2016 20:03:49 +0000 (16:03 -0400)
author Stéphane Graber <stgraber@ubuntu.com>
Mon, 27 Jun 2016 19:15:15 +0000 (15:15 -0400)
committer Stéphane Graber <stgraber@ubuntu.com>
Mon, 27 Jun 2016 20:03:49 +0000 (16:03 -0400)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base

index 7533fdb0848cdbef751186b0ba4914191b148df2..0aacb6aa1f89565dbfb3d85e00c0c603bd36ebe2 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,18 +93,15 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,
  
-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  mount options=(rw,make-slave) -> **,
+  mount options=(rw,make-rslave) -> **,
+  mount options=(rw,make-shared) -> **,
+  mount options=(rw,make-rshared) -> **,
+  mount options=(rw,make-private) -> **,
+  mount options=(rw,make-rprivate) -> **,
+  mount options=(rw,make-unbindable) -> **,
+  mount options=(rw,make-runbindable) -> **,
  
    # allow bind-mounts of anything except /proc, /sys and /dev
    mount options=(rw,bind) /[^spd]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in

index 022d04d434da6e47d3549854694737f96f2bf706..5bc9b28bf22d71212ec170b6072e8101e944a2e3 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,18 +93,16 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,
  
-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+#  mount options=(rw,make-slave) -> **,
+#  mount options=(rw,make-rslave) -> **,
+#  mount options=(rw,make-shared) -> **,
+#  mount options=(rw,make-rshared) -> **,
+#  mount options=(rw,make-private) -> **,
+#  mount options=(rw,make-rprivate) -> **,
+#  mount options=(rw,make-unbindable) -> **,
+#  mount options=(rw,make-runbindable) -> **,
  
    # allow bind-mounts of anything except /proc, /sys and /dev
    mount options=(rw,bind) /[^spd]*{,/**},
author	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 27 Jun 2016 19:15:15 +0000 (15:15 -0400)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 27 Jun 2016 20:03:49 +0000 (16:03 -0400)
config/apparmor/abstractions/container-base		patch \| blob \| blame \| history
config/apparmor/abstractions/container-base.in		patch \| blob \| blame \| history