From: Stéphane Graber <stgraber@ubuntu.com>
Date: Mon, 27 Jun 2016 19:15:15 +0000 (-0400)
Subject: apparmor: Update mount states handling
X-Git-Tag: lxc-2.1.0~403^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1061%2Fhead;p=thirdparty%2Flxc.git

apparmor: Update mount states handling

Properly list all of the states and the right apparmor stanza for them,
then comment them all as actually enabling this would currently let the
user bypass apparmor entirely.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 7533fdb08..0aacb6aa1 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,18 +93,15 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  mount options=(rw,make-slave) -> **,
+  mount options=(rw,make-rslave) -> **,
+  mount options=(rw,make-shared) -> **,
+  mount options=(rw,make-rshared) -> **,
+  mount options=(rw,make-private) -> **,
+  mount options=(rw,make-rprivate) -> **,
+  mount options=(rw,make-unbindable) -> **,
+  mount options=(rw,make-runbindable) -> **,
 
   # allow bind-mounts of anything except /proc, /sys and /dev
   mount options=(rw,bind) /[^spd]*{,/**},
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 022d04d43..5bc9b28bf 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,18 +93,16 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+#  mount options=(rw,make-slave) -> **,
+#  mount options=(rw,make-rslave) -> **,
+#  mount options=(rw,make-shared) -> **,
+#  mount options=(rw,make-rshared) -> **,
+#  mount options=(rw,make-private) -> **,
+#  mount options=(rw,make-rprivate) -> **,
+#  mount options=(rw,make-unbindable) -> **,
+#  mount options=(rw,make-runbindable) -> **,
 
   # allow bind-mounts of anything except /proc, /sys and /dev
   mount options=(rw,bind) /[^spd]*{,/**},