[lxc-devel] [lxd/master] lxd/apparmor/apparmor.go: allow listing of binfmt_misc mount

Tue, 12 May 2020 17:52:22 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7356

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The information on what files exist there is already available if
you brute force and use stat:

$ stat /proc/sys/fs/binfmt_misc/status
stat: cannot stat ‘/proc/sys/fs/binfmt_misc/statu’: No such file or directory

$ stat /proc/sys/fs/binfmt_misc/status
  File: ‘/proc/sys/fs/binfmt_misc/status’ ...

Since the majority of files that exist in binfmt_misc are well known names, it
doesn't provide any security advantages IMHO.  This does still result in access
denied to the files inside the mount.

Closes: #5688

Signed-off-by: Bryan Quigley <bryan.quig...@canonical.com>

From ef796c728ad835cc970ec3563352edfca0c925da Mon Sep 17 00:00:00 2001
From: Bryan Quigley <bryan.quig...@canonical.com>
Date: Tue, 12 May 2020 17:40:43 -0700
Subject: [PATCH] lxd/apparmor/apparmor.go: allow listing of binfmt_misc mount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The information on what files exist there is already available if
you brute force and use stat:

$ stat /proc/sys/fs/binfmt_misc/status
stat: cannot stat ‘/proc/sys/fs/binfmt_misc/statu’: No such file or directory

$ stat /proc/sys/fs/binfmt_misc/status
  File: ‘/proc/sys/fs/binfmt_misc/status’ ...

Since the majority of files that exist in binfmt_misc are well known names, it
doesn't provide any security advantages IMHO.  This does still result in access
denied to the files inside the mount.

Closes: #5688

Signed-off-by: Bryan Quigley <bryan.quig...@canonical.com>
---
 lxd/apparmor/apparmor.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/apparmor/apparmor.go b/lxd/apparmor/apparmor.go
index ceec2dece0..90a83c61af 100644
--- a/lxd/apparmor/apparmor.go
+++ b/lxd/apparmor/apparmor.go
@@ -48,7 +48,7 @@ const profileBase = `
 
   # Handle binfmt
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
-  deny /proc/sys/fs/binfmt_misc/{,**} rwklx,
+  deny /proc/sys/fs/binfmt_misc/** rwklx,
 
   # Handle cgroupfs
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to