From: Alexander Mikhalitsyn Date: Wed, 5 Jun 2024 12:33:31 +0000 (+0200) Subject: apparmor: use /{,**} instead of /** X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32f88c8fecaa1f909d0aeb5ff3132932138fe692;p=thirdparty%2Flxc.git apparmor: use /{,**} instead of /** It turned out, that old (and incorrect) rule: mount options=(rw,make-slave) -> **, is NOT equivalent to: mount options=(rw,make-slave) -> /**, Let's use: mount options=(rw,make-slave) -> /{,**}, Signed-off-by: Alexander Mikhalitsyn --- diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 0717937c0..87982fda3 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -92,14 +92,14 @@ deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable - mount options=(rw,make-slave) -> /**, - mount options=(rw,make-rslave) -> /**, - mount options=(rw,make-shared) -> /**, - mount options=(rw,make-rshared) -> /**, - mount options=(rw,make-private) -> /**, - mount options=(rw,make-rprivate) -> /**, - mount options=(rw,make-unbindable) -> /**, - mount options=(rw,make-runbindable) -> /**, + mount options=(rw,make-slave) -> /{,**}, + mount options=(rw,make-rslave) -> /{,**}, + mount options=(rw,make-shared) -> /{,**}, + mount options=(rw,make-rshared) -> /{,**}, + mount options=(rw,make-private) -> /{,**}, + mount options=(rw,make-rprivate) -> /{,**}, + mount options=(rw,make-unbindable) -> /{,**}, + mount options=(rw,make-runbindable) -> /{,**}, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in index f79cc2be7..20c852925 100644 --- a/config/apparmor/abstractions/start-container.in +++ b/config/apparmor/abstractions/start-container.in @@ -15,10 +15,10 @@ mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, - mount options=(rw, make-slave) -> /**, - mount options=(rw, make-rslave) -> /**, - mount options=(rw, make-shared) -> /**, - mount options=(rw, make-rshared) -> /**, + mount options=(rw, make-slave) -> /{,**}, + mount options=(rw, make-rslave) -> /{,**}, + mount options=(rw, make-shared) -> /{,**}, + mount options=(rw, make-rshared) -> /{,**}, mount fstype=debugfs, mount fstype=fuse.*, # allow pre-mount hooks to stage mounts under /var/lib/lxc// diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 7da48748d..d6516ae9f 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -113,14 +113,14 @@ static const char AA_PROFILE_BASE[] = " deny /sys/kernel/debug/{,**} rwklx,\n" "\n" " # allow paths to be made dependent, shared, private or unbindable\n" -" mount options=(rw,make-slave) -> /**,\n" -" mount options=(rw,make-rslave) -> /**,\n" -" mount options=(rw,make-shared) -> /**,\n" -" mount options=(rw,make-rshared) -> /**,\n" -" mount options=(rw,make-private) -> /**,\n" -" mount options=(rw,make-rprivate) -> /**,\n" -" mount options=(rw,make-unbindable) -> /**,\n" -" mount options=(rw,make-runbindable) -> /**,\n" +" mount options=(rw,make-slave) -> /{,**},\n" +" mount options=(rw,make-rslave) -> /{,**},\n" +" mount options=(rw,make-shared) -> /{,**},\n" +" mount options=(rw,make-rshared) -> /{,**},\n" +" mount options=(rw,make-private) -> /{,**},\n" +" mount options=(rw,make-rprivate) -> /{,**},\n" +" mount options=(rw,make-unbindable) -> /{,**},\n" +" mount options=(rw,make-runbindable) -> /{,**},\n" "\n" " # allow bind-mounts of anything except /proc, /sys and /dev\n" " mount options=(rw,bind) /[^spd]*{,/**},\n" @@ -336,14 +336,14 @@ static const char AA_PROFILE_UNPRIVILEGED[] = " pivot_root,\n" "\n" " # Allow modifying mount propagation\n" -" mount options=(rw,make-slave) -> /**,\n" -" mount options=(rw,make-rslave) -> /**,\n" -" mount options=(rw,make-shared) -> /**,\n" -" mount options=(rw,make-rshared) -> /**,\n" -" mount options=(rw,make-private) -> /**,\n" -" mount options=(rw,make-rprivate) -> /**,\n" -" mount options=(rw,make-unbindable) -> /**,\n" -" mount options=(rw,make-runbindable) -> /**,\n" +" mount options=(rw,make-slave) -> /{,**},\n" +" mount options=(rw,make-rslave) -> /{,**},\n" +" mount options=(rw,make-shared) -> /{,**},\n" +" mount options=(rw,make-rshared) -> /{,**},\n" +" mount options=(rw,make-private) -> /{,**},\n" +" mount options=(rw,make-rprivate) -> /{,**},\n" +" mount options=(rw,make-unbindable) -> /{,**},\n" +" mount options=(rw,make-runbindable) -> /{,**},\n" "\n" " # Allow all bind-mounts\n" " mount options=(rw,bind),\n"