From e96e7a1ac7ec693fb5141720cf4d2ec3edcc45c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 23 Jun 2016 16:01:29 -0400 Subject: [PATCH] apparmor: Allow bind-mounts and {r}shared/{r}private MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bind-mounts aren't harmful in containers, so long as they're not used to bypass MAC policies. This change allows bind-mounting of any path which isn't a dangerous filesystem that's otherwise blocked by apparmor. This also allows switching paths {r}shared or {r}private. Signed-off-by: Stéphane Graber --- config/apparmor/abstractions/container-base | 38 +++++++++++++++---- .../apparmor/abstractions/container-base.in | 38 +++++++++++++++---- 2 files changed, 62 insertions(+), 14 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index fe24ff32b..9452f6608 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -60,13 +60,6 @@ mount fstype=fuse, mount fstype=fuse.*, - # allow bind mount of /lib/init/fstab for lxcguest - mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, - - # allow bind mounts of /run/{,lock} to /var/run/{,lock} - mount options=(rw, bind) /run/ -> /var/run/, - mount options=(rw, bind) /run/lock/ -> /var/lock/, - # deny access under /proc/bus to avoid e.g. messing with pci devices directly deny @{PROC}/bus/** wklx, @@ -100,6 +93,37 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, + # allow paths to be made shared, rshared, private or rprivate + mount options=(rw,shared) -> /, + mount options=(rw,shared) -> /**, + + mount options=(rw,rshared) -> /, + mount options=(rw,rshared) -> /**, + + mount options=(rw,private) -> /, + mount options=(rw,private) -> /**, + + mount options=(rw,rprivate) -> /, + mount options=(rw,rprivate) -> /**, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, + mount options=(rw,bind) /d[^e]*{,/**}, + mount options=(rw,bind) /de[^v]*{,/**}, + mount options=(rw,bind) /dev/.[^l]*{,/**}, + mount options=(rw,bind) /dev/.l[^x]*{,/**}, + mount options=(rw,bind) /dev/.lx[^c]*{,/**}, + mount options=(rw,bind) /dev/.lxc?*{,/**}, + mount options=(rw,bind) /dev/[^.]*{,/**}, + mount options=(rw,bind) /dev?*{,/**}, + mount options=(rw,bind) /p[^r]*{,/**}, + mount options=(rw,bind) /pr[^o]*{,/**}, + mount options=(rw,bind) /pro[^c]*{,/**}, + mount options=(rw,bind) /proc?*{,/**}, + mount options=(rw,bind) /s[^y]*{,/**}, + mount options=(rw,bind) /sy[^s]*{,/**}, + mount options=(rw,bind) /sys?*{,/**}, + # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 550625c15..68db43db4 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -60,13 +60,6 @@ mount fstype=fuse, mount fstype=fuse.*, - # allow bind mount of /lib/init/fstab for lxcguest - mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, - - # allow bind mounts of /run/{,lock} to /var/run/{,lock} - mount options=(rw, bind) /run/ -> /var/run/, - mount options=(rw, bind) /run/lock/ -> /var/lock/, - # deny access under /proc/bus to avoid e.g. messing with pci devices directly deny @{PROC}/bus/** wklx, @@ -100,3 +93,34 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, + # allow paths to be made shared, rshared, private or rprivate + mount options=(rw,shared) -> /, + mount options=(rw,shared) -> /**, + + mount options=(rw,rshared) -> /, + mount options=(rw,rshared) -> /**, + + mount options=(rw,private) -> /, + mount options=(rw,private) -> /**, + + mount options=(rw,rprivate) -> /, + mount options=(rw,rprivate) -> /**, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, + mount options=(rw,bind) /d[^e]*{,/**}, + mount options=(rw,bind) /de[^v]*{,/**}, + mount options=(rw,bind) /dev/.[^l]*{,/**}, + mount options=(rw,bind) /dev/.l[^x]*{,/**}, + mount options=(rw,bind) /dev/.lx[^c]*{,/**}, + mount options=(rw,bind) /dev/.lxc?*{,/**}, + mount options=(rw,bind) /dev/[^.]*{,/**}, + mount options=(rw,bind) /dev?*{,/**}, + mount options=(rw,bind) /p[^r]*{,/**}, + mount options=(rw,bind) /pr[^o]*{,/**}, + mount options=(rw,bind) /pro[^c]*{,/**}, + mount options=(rw,bind) /proc?*{,/**}, + mount options=(rw,bind) /s[^y]*{,/**}, + mount options=(rw,bind) /sy[^s]*{,/**}, + mount options=(rw,bind) /sys?*{,/**}, +