On 8/29/19 11:42 PM, Kobus Goosen wrote:
> Hi,
> I just wanted to ask if there is an elegant way to block mounting/unmounting
> in general.
arm no its a pita to do. It requires setting up global policy, that is loaded
from the initrd and atm this has to be hand rolled.
There is work in progress to fix this so that both early and global policy are
easier but I am unsure when that work will land. Probabably in 3.1 or 3.2
> I have an industrial device that has a read-only rootfs, so there's limited
> system damage that a user could make. However I'd like to disable mounting so
> it's never possible to remount the rootfs in read/write more.
> My initial idea involved creating a profile for SSHD, and adding " deny
> mount," to it. This initially worked (after I changed bash from Ux to ix),
> but causes a host of other issues.
>
not unexpected, its really easy to break things with confinement. Instead of Ux
or ix you might want to try a special profile
use a name profile transition
px -> global,
and then a global profile something like
profile global {
# things to deny
deny mount,
# things to allow
/** rwlkm,
network,
# ... other rules that should be allowed
# profile transitions
/** pix,
# eg. of how to selectively break out of confinement
/usr/bin/sudo Ux,
}
The pix will use a profile if available other wise fall back to the global
profile. This would prevent children of ssh mounting, unless you define a
profile allowing them to.
You could even selectively allow transitioning to unconfined to allow for admin
from ssh to not be broken.
>
> /Kobus Goosen /
> /071 608 4149/
> /[email protected] <mailto:[email protected]>/
>
>
nd
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
