proxmox-mirrors/lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/lxc synced 2025-08-16 22:54:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
stable-4
lxc/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch
Wolfgang Bumiller 3c2b20b3b9 merge: CVE-2017-5985: Ensure target netns is caller-owned
2017-03-10 09:10:53 +01:00

67 lines
2.8 KiB
Diff
Raw Permalink Blame History

From e7d6b0d2384070f2c34a46aaa20250ce31f96c9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH 4/9] deny rw mounting of /sys and /proc
this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
non-root users.
if a rw /sys is desired, set "lxc.mount.auto" accordingly
---
config/apparmor/abstractions/container-base | 6 +++++-
config/apparmor/abstractions/container-base.in | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 06290de..779aadd 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -84,7 +84,6 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -93,6 +92,11 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # prevent rw mounting of /sys, because that allows changing its global permissions
+ deny mount -> /proc/,
+ deny mount -> /sys/,
+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 5bc9b28..5c8e441 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -84,7 +84,6 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -93,6 +92,11 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # prevent rw mounting of /sys, because that allows changing its global permissions
+ deny mount -> /proc/,
+ deny mount -> /sys/,
+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
--
2.1.4
Reference in New Issue View Git Blame Copy Permalink