** Branch linked: lp:ubuntu/apparmor
--
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/959560
Title:
deny mount does not work correctly
Status in AppArmor Linux application security framework:
In Progress
Bug description:
Given the following profile,
profile lxc_container flags=(attach_disconnected) {
umount,
# ignore DENIED message on / remount
# FIXME: doesn't match yet
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
}
the rule
deny mount options=(ro, remount) -> /,
does not work correctly
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/959560/+subscriptions
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
