From: Wolfgang Bumiller Date: Thu, 15 Nov 2018 10:51:34 +0000 (+0100) Subject: apparmor: allow various remount,bind options X-Git-Tag: lxc-3.1.0~13^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6ec0a9e71aa68c9fd67c691a62aaae87e356cef;p=thirdparty%2Flxc.git apparmor: allow various remount,bind options RW bind mounts need to be restricted for some paths in order to avoid MAC restriction bypasses, but read-only bind mounts shouldn't have that problem. Additionally, combinations of 'nosuid', 'nodev' and 'noexec' flags shouldn't be a problem either and are required with newer systemd versions, so let's allow those as long as they're combined with 'ro,remount,bind'. Signed-off-by: Wolfgang Bumiller --- diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index a5e6c35f6..077476559 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -120,6 +120,16 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow various ro-bind-*re*-mounts + mount options=(ro,remount,bind), + mount options=(ro,remount,bind,nosuid), + mount options=(ro,remount,bind,noexec), + mount options=(ro,remount,bind,nodev), + mount options=(ro,remount,bind,nosuid,noexec), + mount options=(ro,remount,bind,noexec,nodev), + mount options=(ro,remount,bind,nodev,nosuid), + mount options=(ro,remount,bind,nosuid,noexec,nodev), + # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 11ec5c45b..1a3ead89a 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -119,6 +119,16 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow various ro-bind-*re*-mounts + mount options=(ro,remount,bind), + mount options=(ro,remount,bind,nosuid), + mount options=(ro,remount,bind,noexec), + mount options=(ro,remount,bind,nodev), + mount options=(ro,remount,bind,nosuid,noexec), + mount options=(ro,remount,bind,noexec,nodev), + mount options=(ro,remount,bind,nodev,nosuid), + mount options=(ro,remount,bind,nosuid,noexec,nodev), + # allow moving mounts except for /proc, /sys and /dev mount options=(rw,move) /[^spd]*{,/**}, mount options=(rw,move) /d[^e]*{,/**}, @@ -136,4 +146,3 @@ mount options=(rw,move) /s[^y]*{,/**}, mount options=(rw,move) /sy[^s]*{,/**}, mount options=(rw,move) /sys?*{,/**}, - diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 6371ab59b..e32b12531 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -167,23 +167,15 @@ static const char AA_PROFILE_BASE[] = " mount options=(rw,bind) /sy[^s]*{,/**},\n" " mount options=(rw,bind) /sys?*{,/**},\n" "\n" -" # allow read-only bind-mounts of anything except /proc, /sys and /dev\n" -" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n" -" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n" -" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n" -" mount options=(ro,remount,bind) -> /dev?*{,/**},\n" -" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n" -" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n" -" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n" -" mount options=(ro,remount,bind) -> /proc?*{,/**},\n" -" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n" -" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n" -" mount options=(ro,remount,bind) -> /sys?*{,/**},\n" +" # allow various ro-bind-*re*-mounts\n" +" mount options=(ro,remount,bind),\n" +" mount options=(ro,remount,bind,nosuid),\n" +" mount options=(ro,remount,bind,noexec),\n" +" mount options=(ro,remount,bind,nodev),\n" +" mount options=(ro,remount,bind,nosuid,noexec),\n" +" mount options=(ro,remount,bind,noexec,nodev),\n" +" mount options=(ro,remount,bind,nodev,nosuid),\n" +" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n" "\n" " # allow moving mounts except for /proc, /sys and /dev\n" " mount options=(rw,move) /[^spd]*{,/**},\n"